[OWASP-Bangalore] Help with whitelists for protection against XSS

Swatej Kumar Swatej.Kumar at mphasis.com
Thu Jun 11 16:00:00 EDT 2009


Best approach to validate is to accept only "Known Good" characters, i.e. the characters that are to be expected. If this cannot be done the next strongest strategy is "Known bad", where we reject all known bad characters. The issue with this is that today's known bad list may expand tomorrow as new technologies are added to the enterprise infrastructure. 

There are a number of models to think about when designing a data validation strategy, which are listed from the strongest to the weakest as follows. 

1.Exact Match (Constrain) 
2.Known Good (Accept) 
3.Reject Known bad (Reject) 
4.Encode Known bad (Sanitise) 

In addition, there must be a check for maximum length of any input received from an external source, such as a downstream service/computer or a user at a web browser. 

Rejected Data must not be persisted to the data store unless it is sanitized. This is a common mistake to log erroneous data, but that may be what the attacker wishes your application to do. 

1.Exact Match: (preferred method) 

Only accept values from a finite list of known values. 
e.g.: A Radio button component on a Web page has 3 settings (A, B, C). Only one of those three settings must be accepted (A or B or C). Any other value must be rejected. 


2.Known Good: 

If we do not have a finite list of all the possible values that can be entered into the system, we use the known good approach. 
e.g.: an email address, we know it shall contain one and only one @. It may also have one or more full stops ".". The rest of the information can be anything from [a-z] or [A-Z] or [0-9] and some other characters such as "_ "or "-", so we let these ranges in and define a maximum length for the address. 


3. Reject Known bad: 

We have a list of known bad values we do not wish to be entered into the system. This occurs on freeform text areas and areas where a user may write a note. The weakness of this model is that today known bad may not be sufficient for tomorrow. 


4. Encode Known Bad:

This is the weakest approach. This approach accepts all input but HTML encodes any characters within a certain character range. HTML encoding is done so if the input needs to be redisplayed the browser shall not interpret the text as script, but the text looks the same as what the user originally typed. 



5.HTML-encoding and URL-encoding user input when writing back to the client.

In this case, the assumption is that no input is treated as HTML and all output is written back in a protected form. This is sanitisation in action.




Also,Stinger (www.owasp.org/index.php/Category:OWASP_Stinger_Project) and ESAPI (www.owasp.org/index.php/ESAPI ) can be of good help.



Thanks & Regards
Swatej Kumar





> >> >> On Jun 10, 2009 1:15pm, Chaitanya <chaitanya.sharma at gmail.com>
> wrote:
> >> >> > Hi.
> >> >> >
> >> >> > I'm looking for help (tuts, papers, comments etc) related to using
> >> >> > whitelists for protection against XSS.  I need to help some UI
> >> >> > developers
> >> >> > implement whitelists in a java (JSP) project.  Any help from the
> >> >> > community
> >> >> > will be appreciated. I'm sure this discussion will also profit
> >> >> > others.
> >> >> >
> >> >> >
> >> >> >
> >> >> > Regards,
> >> >> > Chaitanya
> >> >> >
> >> >> > http://blog.chaitanyasharma.in
> >> >> >
> >> >> _______________________________________________
> >> >> OWASP-Bangalore mailing list
> >> >> OWASP-Bangalore at lists.owasp.org
> >> >> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >> >>
> >> >
> >> >
> >> > _______________________________________________
> >> > OWASP-Bangalore mailing list
> >> > OWASP-Bangalore at lists.owasp.org
> >> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> warm regards,
> >> Akash Mahajan
> >> ----------------------------------------------------------
> >> Security Consultant, (Web / Networks /
> >> Servers / IT/ Virtualization)
> >> Founder Headstart Network Foundation
> >> ----------------------------------------------------------
> >> http://www.linkedin.com/in/akashm
> >> http://network.headstart.in
> >> ----------------------------------------------------------
> >> _______________________________________________
> >> OWASP-Bangalore mailing list
> >> OWASP-Bangalore at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >
> >
> > _______________________________________________
> > OWASP-Bangalore mailing list
> > OWASP-Bangalore at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >
> >
>
>
>
> --
> warm regards,
> Akash Mahajan
> ----------------------------------------------------------
> Security Consultant, (Web / Networks /
> Servers / IT/ Virtualization)
> Founder Headstart Network Foundation
> ----------------------------------------------------------
> http://www.linkedin.com/in/akashm
> http://network.headstart.in
> ----------------------------------------------------------
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090610/1f1868eb/attachment-0001.html 

------------------------------

Message: 2
Date: Wed, 10 Jun 2009 05:41:00 -0700 (PDT)
From: Sudhiranjan Mandal <sudhiranjan1959 at yahoo.com>
Subject: [OWASP-Bangalore] Reg New virus
To: owasp-bangalore at lists.owasp.org
Message-ID: <705975.40244.qm at web32107.mail.mud.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"

Dear all,
?There appears to be some confusion as to why?I sent the message to the mailing list?with an attachment.
?I had myself received it from another source,and saved the message,in my reference files,before sending it to this group.
?I am sending the file again,this time as a 'cut and paste' ,below
?
The newest virus circulating is the UPS/Fed Ex
Delivery Failure. You will
receive an email from UPS/Fed Ex Service along with a
packet number.. It will
say that they were unable to deliver a package sent to you
on such-and-such a
date. It then asks you to print out the invoice copy
attached. 
DON'T TRY TO PRINT THIS. IT LAUNCHES THE VIRUS! 
Pass this warning on to all your PC operators
at work and home. This virus has caused Millions of
dollars in damage in the
past few days.
?
?Snopes confirms that it is real. 
?http://www.snopes.com/computer/virus/ups.asp


?


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090610/d7172edd/attachment-0001.html 

------------------------------

_______________________________________________
OWASP-Bangalore mailing list
OWASP-Bangalore at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-bangalore


End of OWASP-Bangalore Digest, Vol 19, Issue 16
***********************************************


Information transmitted by this e-mail is proprietary to MphasiS, its associated companies and/ or its customers and is intended 
for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or 
exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded 
to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly 
prohibited. In such cases, please notify us immediately at mailmaster at mphasis.com and delete this mail from your records.



More information about the OWASP-Bangalore mailing list