That looks interesting, can I add that to my toolking? One question thought, it is regexp pattern right? So I assume it's evaluated for every request that comes into the system, is not it kind of performance load on the system? But I guess that is the only way to fight XSS.
-----Original Message----- From: Joseph McGranaghan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 15, 2007 4:46 PM To: Struts Users Mailing List Subject: Re: Cross site scripting issue Sorry, just noticed a problem in that events filter. (;|>) in the end should be just > in case multiple statements. It's a work in progress :) -Joe Joseph McGranaghan wrote: > I'm currently working on this problem for a website I'm building. > > I found this: > > > on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|dow" + > > "n|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|" > + > > "blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|iv" > + > > "escript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\" > + > "W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b|" + > > "[vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=." > + > > "*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|she" > + > > "ll|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)f" > + > > "older|background-image:)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body" > + > > "\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[" > + > > "|script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|inne" > + > "rhtml)|[EMAIL PROTECTED])\b) > > from a mod_security list archive and am using it as a starting point. > > I did a couple of searches on myspace security and got a bunch of good > leads. > I figure they have the most current experience with this. > > Especially helpful in identifying harmful javascript patterns was the > explanation of the myspace samy worm. > Good insight. > > I figure I'll keep modifying regular expressions that are kept in one > central class until I can't slip anything through. > > I know other people are working on this stuff too, they'd have to be. > > Be nice to share some discoveries guys :) > > Here is an events filter I did this mornin: > > > > /* > * events: whitspace eventname = "' javascript '" > > * > * If no ' or ", then goto last ) before > > */ > private final static String XSS_EVENTS_FILTER = > "\\s*(on(abort|activate|afterprint|afterupdate))|"+ > > "(onbefore(activate|copy|cut|deactivate|editfocus|paste|update|print|unload) )|"+ > > > "(on(blur|cellchange|change|click|contextmenu|controlselect|copy|cut|))|"+ > > > "(ondata(available|setchanged|setcomplete))|"+ > > "(on(dblclick|deactivate))|"+ > > "(ondrag|(ondrag(end|enter|leave|over|start)))|"+ > > "(on(drop|error|errorupdate|filterchange))|"+ > > "(onfocus|(onfocus(in|out)))|"+ > > "(on(help|deactivate))|"+ > > "(onkey(down|press|up))|"+ > > "(on(layoutcomplete|load|losecapture))|"+ > > "(on(layoutcomplete|load|losecapture))|"+ > > "(onmouse(down|enter|leave|move|out|over|up|wheel|move))|"+ > > "(onmove|(onmove(end|start)))|"+ > > "(on(page|paste|propertychange|readystatechange|reset|resize))|"+ > > "(onresize(end|start))|"+ > > "(onrow(enter|exit|delete|sdelete|inserted|sinserted))|"+ > > "(on(scroll|select|selectionchange|selectstart|submit|unload))"+ > > "\\s*=\\s*((\'.*\')|(\".*\")|(.*\\(.*(;|>)))"; > > > I the user is trying to slip js in using whitespace instead of quotes, > it defaults to stripping everything including the end of tag > > > Better me than them! > > > > -Joe > > > > > Dale Newfield wrote: >> rapsy wrote: >>> I am trying to find a best solution to prevent Cross site scripting >>> attacks. >> >> Aren't we all. >> >> The best suggestion I've found is in the first comment on >> http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html >> >> >> Basically the suggestion is to Tagsoup parse into XHTML in order to >> filter and allow through only "safe" content. White lists are much >> safer than black lists. >> >> That is basically what I've implemented, but it's still not enough, >> as I mention in the last comment there. Any suggestions on that >> "next step"? >> >> Doing this "correctly" means ensuring that my whitelists are accurate >> and safe. For example, it seems nice to allow style attributes, but >> is that safe? In order to allow css, maybe class attributes should be >> allowed, but are id attributes necessary? Don't I then have to worry >> about using any of those "ajax without javascript" .js libraries? >> Because of those are there specific class attribute values I should >> disallow? >> >> It is clear that this filter is insufficient. For example, I want to >> allow links, so href must be allowed in <a/> tags, but clearly I >> don't want to allow that to be used as a way to trigger javascript so >> I must explicitly check the content of this attribute. That brings us >> right back to an ad-hoc collection of unescapeHtml/indexOf searches >> (for script, eval, etc.). This seems sloppy and unless carefully >> maintained likely to lead to XSS vulnerabilities for my users... >> >> Is there an obvious next step that I'm missing? Does anyone have >> available a table of "safe" tag/attribute combinations? This seems >> like someplace where I'd rather trust someone with more >> knowledge/experience than myself. Have only black-hats focused on >> this problem? Seems ripe ground for a good open-source (white-hat) >> tool... >> >> -Dale >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]