Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
WASC: Script Mapping Project release
Posted by: nEUrOO
Date: December 10, 2007 10:22AM

The Web Application Security Consortium is pleased to announce the first results of the Script Mapping project! At this stage in the project we were able to cover most of the test cases for Internet Explorer 7, Firefox 2 and Safari 3.

The results can be found on the project page: http://www.webappsec.org/projects/scriptmapping/

Project Description:

The purpose of the Script Mapping Project is to come up with an exhaustive list of vectors to execute script within a web page without the explicit use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses.

WASC is actively seeking volunteers from various sections of the community including penetration testers, security researchers, and developers to contribute to this project.

If you would like to be involved with the project or if you have comments about the results, test cases etc., please contact me.

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: WASC: Script Mapping Project release
Posted by: Gareth Heyes
Date: December 10, 2007 10:43AM

Nice work :) I'll send you some of my data from Tag Inspector if it proves useful. I'd suggest making this table a link on the XSS group as a sticky.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: WASC: Script Mapping Project release
Posted by: Anonymous User
Date: December 10, 2007 11:01AM

Very interesting - thx for sharing!

Options: ReplyQuote
Re: WASC: Script Mapping Project release
Posted by: Anonymous User
Date: December 10, 2007 12:22PM

Not a rant, but seriously:

It's one of the most poorly ideas so far, I mean that is the same like photographing each object in this world that could be used to break a window of a house. Guess what, a stone does the same job as a shovel. Why collecting it to pentest blacklist filters which are bad a priori? how about unknown vectors? yeah they are unknown so you don't know about them.

It's one argument why my SQL cheat sheet is small, it only gives the parts to construct the tools, but guess again: if you block the parts, you can't build a tool.

That means, that we should stop making silly alerts() all over the place and think about the actual threaths surrounding XSS, which aren't that much. XSS can be mitigated fairly easy by dropping blacklists for instance. I guess it's pretty well known it's a lost battle when we allow users to script data.

IMHO.



Edited 2 time(s). Last edit at 12/10/2007 12:29PM by Ronald.

Options: ReplyQuote
Re: WASC: Script Mapping Project release
Posted by: Gareth Heyes
Date: December 10, 2007 12:28PM

@Ronald

To some extent I agree with what you say but rather than use this information for blacklist filters I would be using it for targeted fuzzing to create unknown vectors.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: WASC: Script Mapping Project release
Posted by: zeno
Date: December 10, 2007 02:58PM

This project isn't to promote blacklist filtering simply provide the raw data that can be used in various ways such as how Gareth would use it.

- zeno

Options: ReplyQuote
Re: WASC: Script Mapping Project release
Posted by: Anonymous User
Date: December 10, 2007 03:23PM

Sure, that would be cool but then you can also build a tool that does that randomly, then you really find all the unknown stuff.

Thing is, I'm a bit a affraid some kids will untar this database when its completed, load it into a scanner and annoy me with 100 million different versions of alert(1,2,3) in my logs, thinking they hacked me. One thing I loath on stuff like Acunetix and other scanners who run 500 tests which do the same thing and come up with zero vulnerabilities because they are based on one the same principle, few exceptions ofcourse.

But how many vectors have the potentiality of becomming dangerous? I guess we can sum them up on a sheet of paper? I'm not talking about
alert(1)
but something that is useful. Anyone can XOR a variable in a SQL injection, doesn't mean I'm vulnerable, you see. :))

I kinda followed the PHPIDS for too long, you see. :) don't take it too harsh, I only want to give some counter feedback.

Options: ReplyQuote
Re: WASC: Script Mapping Project release
Posted by: Anonymous User
Date: December 11, 2007 06:29AM

Well - I like the above mentioned project for one fact: Someone did the work and compiled a great matrix of event handlers combined with tags combined with browsers. It is very very useful - not only for security guys but for developers too.

I agree that automated scanners are sheer bull - I've been posting that opinion here and there over a long time period. Nothing replaces a manual audit. Nothing but a better manual audit. But when is a possible vuln really a vuln? Does an alert on a 'look-at-my-sweet-pet-site' count as vulnerability? Isn't the scenario or the context always the first factor that affects the impact?

I like what Gareth said - the matrix helps the fuzzer guys (Gareth) to create new methods of filter evasion (also Gareth *kidding*). And yes - blacklisting is not an option if it comes to actual protection - which doesn't count for a candy layer the PHPIDS is.

Greetings,
.mario

Options: ReplyQuote
Re: WASC: Script Mapping Project release
Posted by: nEUrOO
Date: December 11, 2007 04:46PM

Yeah, the idea is not really to do blacklisting, I think we all agree to say it's just a bad approach, but really to create vectors for different versions of browsers.
From the results we can see that they have different behavior (which was obvious from let's say, rsnake's xss cheat sheet, but at least, we try to have a real list of these unique cases).

I agree that it was not really explicit in the description, but it's really to find vector for bypassing black-listing based filters...

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote


Sorry, only registered users may post in this forum.