[OWASP-Bangalore] Help with whitelists for protection against XSS

Bipin Upadhyay muxical.geek at gmail.com
Wed Jun 10 08:03:40 EDT 2009


HTML encoding makes a lot of sense, when (as Akash mentioned) the 
character-set usage is proper.

For example, in UTF-7, "+ADw-" implies "<" and "+AD4-" implies ">". 
Search for Google UTF-7 XSS Vulnerability. It'll make things a bit more 
clear.

--Bipin Upadhyay.

Prashanth Sivarajan wrote:
>  Does that total encoding solution i mentioned have any drawbacks? 
> because it seems to be a simple solution but not many use it.
>
> On Wed, Jun 10, 2009 at 4:49 PM, Akash <akashmahajan at gmail.com 
> <mailto:akashmahajan at gmail.com>> wrote:
>
>     Yes basically that is how it is supposed to work. But there are
>     different languages, character sets
>
>     < in one charset might be something else in another char set. This
>     also differs a lot based on different browsers. Behaviour in IE6/FF3.1
>     etc. can be different.
>
>     Which is why white listing makes sense. But is more effective when
>     introduced as part of the whole software development life cycle. The
>     link i have mentioned has many examples for this.
>
>
>     2009/6/10 Prashanth Sivarajan <prash.siv at gmail.com
>     <mailto:prash.siv at gmail.com>>:
>     > I saw somewhere that everything that goes out of hte server
>     should be HTML
>     > encoded (no white listing). So the special meaning of all the
>     non alpha
>     > numerics are masked. Any comments on this?
>     >
>     > for example...a search string that contains XSS characters
>     '<script' will be
>     > converted to &#60;script.
>     > The browser when reading the encoded chars will not interpret
>     the special
>     > meaning of '<' it will be displayed as '<' ie. there is no
>     double decoding.
>     >
>     >
>     > any comments on this?
>     >
>     > On Wed, Jun 10, 2009 at 3:48 PM, <raxitsheth2000 at gmail.com
>     <mailto:raxitsheth2000 at gmail.com>> wrote:
>     >>
>     >> you may find many stuff here.
>     >>
>     >> www.xssed.com <http://www.xssed.com>
>     >>
>     >> Happy (anti-)Hacking :)
>     >>
>     >> -Raxit Sheth
>     >> www.m4mum.com <http://www.m4mum.com>
>     >>
>     >> On Jun 10, 2009 1:15pm, Chaitanya <chaitanya.sharma at gmail.com
>     <mailto:chaitanya.sharma at gmail.com>> wrote:
>     >> > Hi.
>     >> >
>     >> > I'm looking for help (tuts, papers, comments etc) related to
>     using
>     >> > whitelists for protection against XSS.  I need to help some
>     UI developers
>     >> > implement whitelists in a java (JSP) project.  Any help from
>     the community
>     >> > will be appreciated. I'm sure this discussion will also
>     profit others.
>     >> >
>     >> >
>     >> >
>     >> > Regards,
>     >> > Chaitanya
>     >> >
>     >> > http://blog.chaitanyasharma.in
>     >> >
>     >> _______________________________________________
>     >> OWASP-Bangalore mailing list
>     >> OWASP-Bangalore at lists.owasp.org
>     <mailto:OWASP-Bangalore at lists.owasp.org>
>     >> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>     >>
>     >
>     >
>     > _______________________________________________
>     > OWASP-Bangalore mailing list
>     > OWASP-Bangalore at lists.owasp.org
>     <mailto:OWASP-Bangalore at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>     >
>     >
>
>
>
>     --
>     warm regards,
>     Akash Mahajan
>     ----------------------------------------------------------
>     Security Consultant, (Web / Networks /
>     Servers / IT/ Virtualization)
>     Founder Headstart Network Foundation
>     ----------------------------------------------------------
>     http://www.linkedin.com/in/akashm
>     http://network.headstart.in
>     ----------------------------------------------------------
>     _______________________________________________
>     OWASP-Bangalore mailing list
>     OWASP-Bangalore at lists.owasp.org
>     <mailto:OWASP-Bangalore at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090610/cea1a36d/attachment-0001.html 


More information about the OWASP-Bangalore mailing list