[Esapi-user] [Esapi-dev] XSS on OWASP

Kevin W. Wall kevin.w.wall at gmail.com
Mon Jun 27 19:43:52 EDT 2011


On Mon, Jun 27, 2011 at 7:15 PM, Jeff Williams
<jeff.williams at aspectsecurity.com> wrote:
> I'm not sure exactly how he is rendering this static harmless java source code (that happens to contain some <script> tags) but this is *NOT* XSS or a browser bug. There's no user input!!!  The curse of the alert box proof of concept.
>
> On Jun 27, 2011, at 6:36 PM, "Kevin W. Wall" <kevin.w.wall at gmail.com> wrote:
>
>> A bug in IE 8 then.

Perhaps an overzealous anti-XSS component in IE 8, or more likely an
overly simplistic approach of just some regex matching devoid of any
context.

We see this type of thing all the time with a WAF we deployed. True
story: Whenever this WAF sees an HTTP request where a user's
password contain a single quote, it reports it the single quote as
SQLi attack. When we checked their regex, it was extremely
naive; just looking for certain characters and ' happened to be one of
them. Context is king. Apparently, this particular WAF or IE 8 never
learned that lesson. False positives galore.

This is one reason why ESAPI's validators should not suffer from
these false positives...their is context and it is the developer who
provides it.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein


More information about the Esapi-user mailing list