Sorry, just noticed a problem in that events filter.
(;|>) in the end should be just >
in case multiple statements.
It's a work in progress :)
-Joe
Joseph McGranaghan wrote:
I'm currently working on this problem for a website I'm building.
I found this:
on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|dow" +
"n|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|"
+
"blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|iv"
+
"escript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\"
+
"W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b|" +
"[vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=."
+
"*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|she"
+
"ll|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)f"
+
"older|background-image:)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body"
+
"\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\["
+
"|script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|inne"
+
"rhtml)|[EMAIL PROTECTED])\b)
from a mod_security list archive and am using it as a starting point.
I did a couple of searches on myspace security and got a bunch of good
leads.
I figure they have the most current experience with this.
Especially helpful in identifying harmful javascript patterns was the
explanation of the myspace samy worm.
Good insight.
I figure I'll keep modifying regular expressions that are kept in one
central class until I can't slip anything through.
I know other people are working on this stuff too, they'd have to be.
Be nice to share some discoveries guys :)
Here is an events filter I did this mornin:
/*
* events: whitspace eventname = "' javascript '" >
*
* If no ' or ", then goto last ) before >
*/
private final static String XSS_EVENTS_FILTER =
"\\s*(on(abort|activate|afterprint|afterupdate))|"+
"(onbefore(activate|copy|cut|deactivate|editfocus|paste|update|print|unload))|"+
"(on(blur|cellchange|change|click|contextmenu|controlselect|copy|cut|))|"+
"(ondata(available|setchanged|setcomplete))|"+
"(on(dblclick|deactivate))|"+
"(ondrag|(ondrag(end|enter|leave|over|start)))|"+
"(on(drop|error|errorupdate|filterchange))|"+
"(onfocus|(onfocus(in|out)))|"+
"(on(help|deactivate))|"+
"(onkey(down|press|up))|"+
"(on(layoutcomplete|load|losecapture))|"+
"(on(layoutcomplete|load|losecapture))|"+
"(onmouse(down|enter|leave|move|out|over|up|wheel|move))|"+
"(onmove|(onmove(end|start)))|"+
"(on(page|paste|propertychange|readystatechange|reset|resize))|"+
"(onresize(end|start))|"+
"(onrow(enter|exit|delete|sdelete|inserted|sinserted))|"+
"(on(scroll|select|selectionchange|selectstart|submit|unload))"+
"\\s*=\\s*((\'.*\')|(\".*\")|(.*\\(.*(;|>)))";
I the user is trying to slip js in using whitespace instead of quotes,
it defaults to stripping everything including the end of tag >
Better me than them!
-Joe
Dale Newfield wrote:
rapsy wrote:
I am trying to find a best solution to prevent Cross site scripting
attacks.
Aren't we all.
The best suggestion I've found is in the first comment on
http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html
Basically the suggestion is to Tagsoup parse into XHTML in order to
filter and allow through only "safe" content. White lists are much
safer than black lists.
That is basically what I've implemented, but it's still not enough,
as I mention in the last comment there. Any suggestions on that
"next step"?
Doing this "correctly" means ensuring that my whitelists are accurate
and safe. For example, it seems nice to allow style attributes, but
is that safe? In order to allow css, maybe class attributes should be
allowed, but are id attributes necessary? Don't I then have to worry
about using any of those "ajax without javascript" .js libraries?
Because of those are there specific class attribute values I should
disallow?
It is clear that this filter is insufficient. For example, I want to
allow links, so href must be allowed in <a/> tags, but clearly I
don't want to allow that to be used as a way to trigger javascript so
I must explicitly check the content of this attribute. That brings us
right back to an ad-hoc collection of unescapeHtml/indexOf searches
(for script, eval, etc.). This seems sloppy and unless carefully
maintained likely to lead to XSS vulnerabilities for my users...
Is there an obvious next step that I'm missing? Does anyone have
available a table of "safe" tag/attribute combinations? This seems
like someplace where I'd rather trust someone with more
knowledge/experience than myself. Have only black-hats focused on
this problem? Seems ripe ground for a good open-source (white-hat)
tool...
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
