Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Using regex to block XSS
Posted by: T06
Date: January 24, 2008 06:12PM

I was looking at using some regex with squid to detect URL based XSS before it gets to the users browser.

What comments does the community have about using this type of protection?

Options: ReplyQuote
Re: Using regex to block XSS
Posted by: Anonymous User
Date: January 25, 2008 02:45AM


Options: ReplyQuote
Re: Using regex to block XSS
Posted by: T06
Date: January 25, 2008 06:29AM

Care to elaborate?

Options: ReplyQuote
Re: Using regex to block XSS
Posted by: Anonymous User
Date: January 25, 2008 06:52AM

Sure. The thing is that it's very hard if not impossible to craft a regex that can take care of input sanitation in any possible scenario. The link to the thread is here to illustrate the process of trying to create a system that is capable of solving this problem and that is 95% done but on the other hand will never be 100% complete.

Since you are talking about detection and not mitigation the thread should be worth a read for you - since that is what we do there.

Greetings,
.mario

Options: ReplyQuote
Re: Using regex to block XSS
Posted by: kirke
Date: February 01, 2008 04:40AM

as .mario said: sanitation nearly impossible

I'd use a white list, in perl somthing like:
m/^[a-zA-Z0-9]*$/ || die 'fuck off, not vulnerable';

Options: ReplyQuote
Re: Using regex to block XSS
Posted by: Anonymous User
Date: February 01, 2008 06:52AM

Yep!

another thing to mitigate the GET issues, can be a couple of .htaccess rules that simply blocks dangerous stuff, but be careful with those.

RewriteCond %{HTTP_REFERER} ^(.*)(%00|%08|%09|%0A|%0B|%0C|%0D|%0E|%0F|%2C|<|>|')(.*) [NC,OR]
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{REQUEST_URI} ^(/,|/;|/<|/>|/'|/`|//////|/%2E%2E|/%17|/%18|%19|/%F8%80) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)(%00|%0A|%0B|%0C|%0D|%0E|%0F|%2C|%3C|%3E|%27)(.*) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)('|<|>|,|/|\\|\.a|\.c|\.t|\.d|\.p|\.i|\.e|\.j)(.*) [NC,OR]
RewriteCond %{HTTP_COOKIE} ^(.*)(<|>|'|%3C|%3E|%27)(.*) [NC]
RewriteRule ^(.*)$ error.php [NC]

it does however blocks most SQL and XSS attacks, not the exotic ones of course.

Options: ReplyQuote


Sorry, only registered users may post in this forum.