Tuesday, March 1, 2016

Don't Write your own XSS Filter

There was a recent blog by Sjoerd Langkemper that walked through bypassing XSS Filters. It's a great example of why as a web developer you should NOT write your own XSS filter, but instead you a trusted and vetted security library written and reviewed by the pros. By Custom XSS (or SQLi) filter, I mean you should not try to write your own regular expression, pattern matching, character blacklists, etc. It's just too complex and you're bought to miss something or make a mistake. You need to use a library that everybody else has reviewed and is known to be correctly written and secure.

In the blog he provides great example. There was a regex written to remove this malicious code

(javascript\s*:)

And it would work great if the attacker followed the traditional pattern and entered malicious code like this

<a href="javascript:alert('test')">link</a>

But what if the attacker varied a little bit and URL encoded the letter s?

<a href="java&#115;cript:alert('xss')">link</a>

Uh-oh, your attacker just bypassed your XSS filter and your website is vulnerable to XSS.

Here's another example of a decent regex to blog javascript event attributes.

(ondblclick|onclick|onkeydown|onkeypress|onkeyup|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onload|onunload|onerror)=[^<]*(?=\>)

But guess what, you missed one (or probably many). What about onmouseenter?

<div onmouseenter="alert('xss')">

Please trust me when I say, you can't do it yourself. I would never attempt it and you shouldn't either. Use a trusted library that covers all these scenarios and has thought of all the things that you have forgotten.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. php injection ali.txt walk-thru


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment