There was a recent blog by Sjoerd Langkemper that walked through bypassing XSS Filters. It's a great example of why as a web developer you should NOT write your own XSS filter, but instead you a trusted and vetted security library written and reviewed by the pros. By Custom XSS (or SQLi) filter, I mean you should not try to write your own regular expression, pattern matching, character blacklists, etc. It's just too complex and you're bought to miss something or make a mistake. You need to use a library that everybody else has reviewed and is known to be correctly written and secure.
In the blog he provides great example. There was a regex written to remove this malicious code
And it would work great if the attacker followed the traditional pattern and entered malicious code like this
But what if the attacker varied a little bit and URL encoded the letter s?
Uh-oh, your attacker just bypassed your XSS filter and your website is vulnerable to XSS.
But guess what, you missed one (or probably many). What about onmouseenter?
Please trust me when I say, you can't do it yourself. I would never attempt it and you shouldn't either. Use a trusted library that covers all these scenarios and has thought of all the things that you have forgotten.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.