Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Filter Invasion
Posted by: huib
Date: September 30, 2006 02:17PM

hey!

i have found a website which allowes <, as long as its followed by a space..
if its not, it filters the < untill the first > (or untill the line ends, if no > are available).

for instance: '<script>hey' will become: 'hey'
and < script>hey will just stay the same.
&# is removed, so &# is makeable with &&## or &<>#..

any details on evading this one would be nice!

thnx!

huib

Options: ReplyQuote
Re: Filter Invasion
Posted by: rsnake
Date: September 30, 2006 05:04PM

We took this conversation offline... it was a long one... thanks Huib, I might write up parts of our conversation as I think they are noteworthy.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Filter Invasion
Posted by: lpilorz
Date: October 14, 2006 03:22PM

Maybe it will come useful to someone...

An example of filter bypassing by mixing two vectors from XSS Cheat Sheet - it took some time to find it, because @import and javascript was filtered inside style tags. It was however possible to cheat it with `:

<style a=`>` style="</style>">@import'javascript:alert("xss")';</style>

The filter assumed a=`> to be the end of style tag, ` style=" to be the style sheet, and everything after first </style> to be a common text.

At the same time, the example below didn't work (tags were correctly recognized):
<style a=">" style="</style>">@import'javascript:alert("xss")';</style>

By the way, would you recommend any existing open-source XSS-filter script (PHP/Perl) that allows most of HTML+CSS and disables all active content?
I am currently looking through HTML::TagFilter and HTML Purifier, but maybe you know some other similar solutions.

Options: ReplyQuote
Re: Filter Invasion
Posted by: rsnake
Date: October 14, 2006 03:54PM

That's pretty good. I've seen something similar before (not in the wild but in the lab during testing). I'm going to make a post today that's going to pretty much ruin this vector for you - as IE7.0 is dumping support for this. Stay tuned.

As far as filters, HTML Purifier is pretty good, but I've never been super excited about any of those things as they are still vulnerable to things like encoding issues etc... HTML Purifier has no (known) issues, but I'd rather disallow all HTML if I had the opportunity.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Filter Invasion
Posted by: lpilorz
Date: October 14, 2006 04:17PM

Unfortunately, some web pages just need HTML user input. But of course, if a site uses HTML-enabling filter, it should be used only where really needed. If it is used as well to filter URL params displayed on page as attribute values, it is much harder to keep it safe. Even if such filter is used, all data that does not need HTML should simply disallow HTML as you wrote above.

Thanks for the info about HTML Purifier, I'll try it out for a while!

Options: ReplyQuote
Re: Filter Invasion
Date: October 15, 2006 06:10PM

Well, if you want to be real picky, plain text can also have variable width encoding issues. Usually it doesn't result in XSS, as it's kind of difficult to get a variable width character to gobble up a quotation mark when the text is being inserted outside of an attribute, but that doesn't stop the user from inserting null bytes, malformed byte sequences, binary data, etc. You have to run iconv() or some other character encoding aware function on it to be truly safe: htmlentities / htmlspecialchars() just doesn't cut it.

Hopefully HTML Purifier will work out well for you. Just try not to run it on the data during page serves (do the filtering inbound or cache its output).

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: Filter Invasion
Posted by: rsnake
Date: October 15, 2006 09:12PM

Right, I've tested htmlentities and htmlspecialchars and they were ineffective at stopping variable width encoding issues. When I tested HTML Purifier it did a good job of that although I will say it seemed to gobble up/change stuff in odd ways - but I'll be honest, I didn't spend a lot of time debugging.

It's a great tool though, I recommend at least looking at it if you haven't already.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.