There was a recent blog by Sjoerd Langkemper that walked through bypassing XSS Filters. It's a great example of why as a web developer you should NOT write your own XSS filter, but instead you a trusted and vetted security library written and reviewed by the pros. By Custom XSS (or SQLi) filter, I mean you should not try to write your own regular expression, pattern matching, character blacklists, etc. It's just too complex and you're bought to miss something or make a mistake. You need to use a library that everybody else has reviewed and is known to be correctly written and secure.
In the blog he provides great example. There was a regex written to remove this malicious code
(javascript\s*:)
And it would work great if the attacker followed the traditional pattern and entered malicious code like this
<a href="javascript:alert('test')">link</a>
But what if the attacker varied a little bit and URL encoded the letter s?
<a href="javascript:alert('xss')">link</a>
Uh-oh, your attacker just bypassed your XSS filter and your website is vulnerable to XSS.
Here's another example of a decent regex to blog javascript event attributes.
(ondblclick|onclick|onkeydown|onkeypress|onkeyup|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onload|onunload|onerror)=[^<]*(?=\>)
But guess what, you missed one (or probably many). What about onmouseenter?
<div onmouseenter="alert('xss')">
Please trust me when I say, you can't do it yourself. I would never attempt it and you shouldn't either. Use a trusted library that covers all these scenarios and has thought of all the things that you have forgotten.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment