[OWASP-Bangalore] Help with whitelists for protection against XSS

Abhay Bhargav abhaybhargav at gmail.com
Wed Jun 10 10:59:57 EDT 2009


That is why the application has to be developed, keeping in mind the inputs
and their contents. Although XSS seems like an innocuous client side attack,
it is an attack usually aimed by one user of the application against another
user of the same web application. XSS (especially persistent) can result in
anything from a Denial of Service (a la Samy worm for Myspace) to a stealing
of session credentials (the introduction to XSRF) and in some cases even
launching an attack against another website without the user's knowledge
(XSS proxy). It is quite a serious issue, to be given enough respect.

Simple answer: Understand the application, understand its input and encoding
requirements and users (attacks may be also using foreign characters) and
then develop a whitelist.

Regards
Abhay

-- 
Linkedin -  http://www.linkedin.com/in/abhaybhargav

My Security Blog - http://citadelnotes.blogspot.com

Blog feeds - http://feeds2.feedburner.com/AbhayBhargavOnInformationSecurity



On Wed, Jun 10, 2009 at 5:34 PM, Prashanth Sivarajan <prash.siv at gmail.com>wrote:

> Oh ok that explains my main doubts .... Thanks.. The link echos what u said
> here..Input has to be validated and output has to be encoded....
> But XSS is executed only at the client (browser)...so why take the pain of
> filtering the input ...for all you know those characters may mean something
> useful to the application itself.
>
>
>
> On Wed, Jun 10, 2009 at 5:10 PM, Akash <akashmahajan at gmail.com> wrote:
>
>> 2009/6/10 Prashanth Sivarajan <prash.siv at gmail.com>:
>> >  Does that total encoding solution i mentioned have any drawbacks?
>> because
>> > it seems to be a simple solution but not many use it.
>>
>> Encoding HTML entities is an effective defence against XSS. But that
>> is for output. White listing is meant to be used while taking input
>> for an app.
>>
>> Refer to the OWASP page on this
>> http://www.owasp.org/index.php/Top_10_2007-A1
>>
>> >
>> > On Wed, Jun 10, 2009 at 4:49 PM, Akash <akashmahajan at gmail.com> wrote:
>> >>
>> >> Yes basically that is how it is supposed to work. But there are
>> >> different languages, character sets
>> >>
>> >> < in one charset might be something else in another char set. This
>> >> also differs a lot based on different browsers. Behaviour in IE6/FF3.1
>> >> etc. can be different.
>> >>
>> >> Which is why white listing makes sense. But is more effective when
>> >> introduced as part of the whole software development life cycle. The
>> >> link i have mentioned has many examples for this.
>> >>
>> >>
>> >> 2009/6/10 Prashanth Sivarajan <prash.siv at gmail.com>:
>> >> > I saw somewhere that everything that goes out of hte server should be
>> >> > HTML
>> >> > encoded (no white listing). So the special meaning of all the non
>> alpha
>> >> > numerics are masked. Any comments on this?
>> >> >
>> >> > for example...a search string that contains XSS characters '<script'
>> >> > will be
>> >> > converted to &#60;script.
>> >> > The browser when reading the encoded chars will not interpret the
>> >> > special
>> >> > meaning of '<' it will be displayed as '<' ie. there is no double
>> >> > decoding.
>> >> >
>> >> >
>> >> > any comments on this?
>> >> >
>> >> > On Wed, Jun 10, 2009 at 3:48 PM, <raxitsheth2000 at gmail.com> wrote:
>> >> >>
>> >> >> you may find many stuff here.
>> >> >>
>> >> >> www.xssed.com
>> >> >>
>> >> >> Happy (anti-)Hacking :)
>> >> >>
>> >> >> -Raxit Sheth
>> >> >> www.m4mum.com
>> >> >>
>> >> >> On Jun 10, 2009 1:15pm, Chaitanya <chaitanya.sharma at gmail.com>
>> wrote:
>> >> >> > Hi.
>> >> >> >
>> >> >> > I'm looking for help (tuts, papers, comments etc) related to using
>> >> >> > whitelists for protection against XSS.  I need to help some UI
>> >> >> > developers
>> >> >> > implement whitelists in a java (JSP) project.  Any help from the
>> >> >> > community
>> >> >> > will be appreciated. I'm sure this discussion will also profit
>> >> >> > others.
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > Regards,
>> >> >> > Chaitanya
>> >> >> >
>> >> >> > http://blog.chaitanyasharma.in
>> >> >> >
>> >> >> _______________________________________________
>> >> >> OWASP-Bangalore mailing list
>> >> >> OWASP-Bangalore at lists.owasp.org
>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> >> >>
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > OWASP-Bangalore mailing list
>> >> > OWASP-Bangalore at lists.owasp.org
>> >> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> warm regards,
>> >> Akash Mahajan
>> >> ----------------------------------------------------------
>> >> Security Consultant, (Web / Networks /
>> >> Servers / IT/ Virtualization)
>> >> Founder Headstart Network Foundation
>> >> ----------------------------------------------------------
>> >> http://www.linkedin.com/in/akashm
>> >> http://network.headstart.in
>> >> ----------------------------------------------------------
>> >> _______________________________________________
>> >> OWASP-Bangalore mailing list
>> >> OWASP-Bangalore at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> >
>> >
>> > _______________________________________________
>> > OWASP-Bangalore mailing list
>> > OWASP-Bangalore at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> >
>> >
>>
>>
>>
>> --
>> warm regards,
>> Akash Mahajan
>> ----------------------------------------------------------
>> Security Consultant, (Web / Networks /
>> Servers / IT/ Virtualization)
>> Founder Headstart Network Foundation
>> ----------------------------------------------------------
>> http://www.linkedin.com/in/akashm
>> http://network.headstart.in
>> ----------------------------------------------------------
>> _______________________________________________
>> OWASP-Bangalore mailing list
>> OWASP-Bangalore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>>
>
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090610/d330e74b/attachment.html 


More information about the OWASP-Bangalore mailing list