Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 

Current Page: 1 of 1
Results 1 - 24 of 24
5 years ago
mlemos
sirdarckcat, unsafe URL checking was just fixed to properly determine URL schemes before checking against the white list.
Forum: Projects
5 years ago
mlemos
thornmaker, you are right. I think is safer to consider that a comment ends after the -- and > characters even if there are any characters in between. I just nailed that vector now.
Forum: Projects
5 years ago
mlemos
mario, that vector was already handled. If you try it, you may see that the class closes the img tag and the onerror attribute becomes data. At most what I can do better with that case is to encode the " character that was moved to data, but that is harmless.
Forum: Projects
5 years ago
mlemos
Ok, I think I nailed all the vectors presented so far. Please check them again in the test page and let me know of any other vectors you find out it failed.
Forum: Projects
5 years ago
mlemos
thornmaker, I just nailed that end comment variant and updated the test site. Anyway, it is a bit odd. The HTML documentation says SGML comments may end with -- followed possibly by whitespace before the > . So maybe I should also consider that possibility. However, adding whitespace between -- and > does not make at least Firefox treat it as end comment, but using a ! does it. Is this
Forum: Projects
5 years ago
mlemos
rvdh, a lot of people went to the PHPClasses site, if not to use stuff available there, at least to research existing solutions for their purposes. I just would not guess who are you because your alias rvdh does not ring any bells to me. Maybe if you tell me your real name, I may remember! ;-)
Forum: Projects
5 years ago
mlemos
mario, I nailed those vectors with encoded entities in the middle of javascript URLs. BTW, when you put the vector <a href="javas\0cript:alert(1)">x</a> do you mean that \0 is the NUL character of a slash character \ followed by the character zero 0 ? I only nailed the first case.
Forum: Projects
5 years ago
mlemos
Gareth, no problem. Meanwhile I tackled that case. You may want to try again now. I think I still need to deal with CSS comments, as they seem to be allowed in the middle of style values.
Forum: Projects
5 years ago
mlemos
Gareth, relax, it would be silly for me to distribute PHP source code with backdoors, especially when it is easy for anybody to read the source. Anybody that knows me is aware that I am a trustworthy person and I would never do anything like that. But it's OK, I suppose you do not know me and you are not willing to take chances. Anyway, I just added a page with a form on which you can try an
Forum: Projects
5 years ago
mlemos
Garrett, the package comes with a test script named test_safe_html_filter.php that you can use to try it. The two classes that are not inside the package, are not really required, but as I mentioned they may be obtained here: http://www.phpclasses.org/filecache (This is for caching DTD, although caching is optional) and cvs -z3 -d :pserver:cvsread@cvs.meta-language.net:/opt2/ena/metal
Forum: Projects
5 years ago
mlemos
Hello, I finally released my secure HTML parser and filter. It is a bunch of PHP classes that aim to parse and filter insecure HTML mainly to avoid XSS attacks. Below follows a more detailed definition. The goal of this package is not to compete with existing packages for similar purposes, but rather to address needs that I had and could not be fulfilled by existing solutions. I am ann
Forum: Projects
5 years ago
mlemos
sirdarckcat maybe a drastic solution is the way to go, like dropping all CSS properties that start with a non-whitelisted URL scheme name followed by colon. I am just not sure if this may drop many cases of valid properties that are not really URLs could start with javascript: or some dangerous URL scheme. As for parsing CSS correctly, I have developed a PHP class just for that purpose. If you
Forum: XSS Info
5 years ago
mlemos
Mario, I already said I agree with you. White listing is the way to go. It is a lot of work to develop a safe solution, that will "eat your soul" to develop and maintain, just to use your words. But it is a work that must be done. We are not going anywhere just moaning that it is a difficult job, and it will be eventually impossible avoid 0 day exploit discoveries, just like anti-viru
Forum: XSS Info
5 years ago
mlemos
Mario, if there is a browser that may handle that as a valid URL, despite it is not a standard way to specify an URL property value, it should always be filtered before publishing filtered untrusted HTML/CSS, as we never know what browser the user may have. The question is what should be the logic to detect and filter that and other CSS properties that take URLs? Shall I analyze all attributes
Forum: XSS Info
5 years ago
mlemos
QuoteI'm a bit in favor of white listing in any case, if you can. It sounds tempting to write a blacklist filter or something like it, but one also have to understand that if it fails to filter 1 single vector, it is 100% vulnerable. Since the potential of possible vectors is unknown, a filter based upon blacklisting will not be 100% secure, thus failing your objective to secure it. All it seems t
Forum: XSS Info
5 years ago
mlemos
Quote> <img src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode" alt="somecommand.php?somevariables=maliciouscode" /> HTML requires an alt attribute on all image tags (accesibility) Yes, it will silent the validators that complain of missing alt tags, but pasting the URI in there is not really making it more accessible. Imagine a screen
Forum: XSS Info
5 years ago
mlemos
Quote QuoteIf an hacker submits BBCode mixed with malicious HTML, your BBCode parser still has to be able to parse and detect invalid markup to filter it or discard it altogether. false, you receive BBcode, you HTML-entities-fyit and then parse the BBCode to HTML (checking for javascript: on image tags and urls, and etc..). you never parse any HTML.. HTML is disabled always. Admittedly I have
Forum: XSS Info
5 years ago
mlemos
Mario rvdh, maybe I was not clear, but what I meant is that converting HTML to Javascript on the browser side will not avoid the fact that you still have to parsing or sanitize BBCode that is submitted to the server. If an hacker submits BBCode mixed with malicious HTML, your BBCode parser still has to be able to parse and detect invalid markup to filter it or discard it altogether. BBCode i
Forum: XSS Info
5 years ago
mlemos
I do not think that the BBCode emulation solution that you are proposing would solve anything. You would only do at the browser side in Javascript what the server side application must do to parse and sanitize input, which always has to be done because a cracker can always forge HTTP requests to emulate submissions of whatever comes from the browser. Sanitizing BBCode or HTML is practically
Forum: XSS Info
5 years ago
mlemos
An HTML editor is mainly a DIV tag with CONTENTEDITABLE attribute set to true. Most browsers support that nowadays. Using BBCode is like making people walk to some place when they could drive cars to go there much faster and comfortably. People can have car accidents but that should not be the reason to avoid using cars. Imagine Google Docs using BBCode. It would be such an unusable solution
Forum: XSS Info
5 years ago
mlemos
rdvh, you are thinking of plain text content submission. Using a Web based HTML editor, users have a more friendly interface to format text like in word processing programs they are used to. The problem is that if you allow HTML to be submitted, crackers may build scripts that pretend to be real users and submit HTML with XSS attacks. That is why XSS filters are necessary. It is not impos
Forum: XSS Info
5 years ago
mlemos
I already tried htmlpurifier. Seems very extensive. It actually comes with a script to show the results of filtering XSS vectors from xssAttacks.xml. However, it does not come with a test suite for those vectors that compares the filtering results against expected results. I looked at its filtering results and some seem odd. Maybe it is a bug or I am misunderstanding something. I have not
Forum: XSS Info
5 years ago
mlemos
PaPPy, thanks for the response. I have analyzed several solutions but none satisfied my needs. Actually, the existence of multiple solutions is a reflex that each address needs of different people. Anyway, I looked at the XSSED site that you mention. I only see a list of tested sites. Maybe I misunderstood what you said, but that is not what I am looking for. I already developed a capable
Forum: XSS Info
5 years ago
mlemos
I am working on an HTML parser that sanitizes eventually malformed HTML. On top of it I added a HTML filter that discards dangerous HTML that may be used in XSS attacks. I am using xssAtacks.xml to test the filter. It is a great feed of XSS vectors as it lets me have an idea of how much work I still need to do. Congratulations to the authors and maintainers. It is a really a brilliant job. S
Forum: XSS Info
Current Page: 1 of 1