[OWASP-Bangalore] Help with whitelists for protection against XSS

Chaitanya chaitanya.sharma at gmail.com
Mon Jun 15 08:20:44 EDT 2009


Hi Guys,

Thanks for all the replies..... I found the Stinger project to be
pretty useful.  I tested it for a sample app against non-persistent
XSS and found it effective.  the question is, since stinger encodes
the string, how would the DB (MySQL, postgres) treat it.  Would the
special characters cause a problem or would it function smoothly?

Comments from anyone who has used it previously.

Regards,
Chaitanya

http://blog.chaitanyasharma.in



On Sun, Jun 14, 2009 at 2:22 AM, Swatej Kumar<Swatej.Kumar at mphasis.com> wrote:
> Thanks Rajiv.
>
> Regards,
> Swatej Kumar
>
> -----Original Message-----
> From: owasp-bangalore-bounces at lists.owasp.org on behalf of owasp-bangalore-request at lists.owasp.org
> Sent: Sat 6/13/2009 9:30 PM
> To: owasp-bangalore at lists.owasp.org
> Subject: OWASP-Bangalore Digest, Vol 19, Issue 19
>
> Send OWASP-Bangalore mailing list submissions to
>        owasp-bangalore at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> or, via email, send a message with subject or body 'help' to
>        owasp-bangalore-request at lists.owasp.org
>
> You can reach the person managing the list at
>        owasp-bangalore-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OWASP-Bangalore digest..."
>
>
> Today's Topics:
>
>   1. Re: OWASP-Bangalore Digest, Vol 19, Issue 18 (Rajiv Vishwa)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 12 Jun 2009 23:07:14 +0530
> From: Rajiv Vishwa <rajivvishwa at gmail.com>
> Subject: Re: [OWASP-Bangalore] OWASP-Bangalore Digest, Vol 19, Issue
>        18
> To: owasp-bangalore at lists.owasp.org
> Message-ID:
>        <3ea7730b0906121037h68fbaefbg81c7de18be01f4a7 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Swatej,
> It was very well articulated and to the point.
>
> Thanks
> Rajiv
> Security Consultant
>
>
> On Friday, June 12, 2009,  <owasp-bangalore-request at lists.owasp.org> wrote:
>> Send OWASP-Bangalore mailing list submissions to
>>  ? ? ? ?owasp-bangalore at lists.owasp.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>  ? ? ? ?https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> or, via email, send a message with subject or body 'help' to
>>  ? ? ? ?owasp-bangalore-request at lists.owasp.org
>>
>> You can reach the person managing the list at
>>  ? ? ? ?owasp-bangalore-owner at lists.owasp.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of OWASP-Bangalore digest..."
>>
>>
>> Today's Topics:
>>
>>  ? 1. Re: Help with whitelists for protection against ? XSS (Swatej Kumar)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 12 Jun 2009 01:30:00 +0530
>> From: "Swatej Kumar" <Swatej.Kumar at mphasis.com>
>> Subject: Re: [OWASP-Bangalore] Help with whitelists for protection
>>  ? ? ? ?against XSS
>> To: <owasp-bangalore at lists.owasp.org>,
>>  ? ? ? ?<owasp-bangalore at lists.owasp.org>
>> Message-ID:
>>  ? ? ? ?<1D2CAFE5C009A4448FDEA321F108F3B256E7B1 at MPBABTPEX01.corp.mphasis.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>>
>> Best approach to validate is to accept only "Known Good" characters, i.e. the characters that are to be expected. If this cannot be done the next strongest strategy is "Known bad", where we reject all known bad characters. The issue with this is that today's known bad list may expand tomorrow as new technologies are added to the enterprise infrastructure.
>>
>> There are a number of models to think about when designing a data validation strategy, which are listed from the strongest to the weakest as follows.
>>
>> 1.Exact Match (Constrain)
>> 2.Known Good (Accept)
>> 3.Reject Known bad (Reject)
>> 4.Encode Known bad (Sanitise)
>>
>> In addition, there must be a check for maximum length of any input received from an external source, such as a downstream service/computer or a user at a web browser.
>>
>> Rejected Data must not be persisted to the data store unless it is sanitized. This is a common mistake to log erroneous data, but that may be what the attacker wishes your application to do.
>>
>> 1.Exact Match: (preferred method)
>>
>> Only accept values from a finite list of known values.
>> e.g.: A Radio button component on a Web page has 3 settings (A, B, C). Only one of those three settings must be accepted (A or B or C). Any other value must be rejected.
>>
>>
>> 2.Known Good:
>>
>> If we do not have a finite list of all the possible values that can be entered into the system, we use the known good approach.
>> e.g.: an email address, we know it shall contain one and only one @. It may also have one or more full stops ".". The rest of the information can be anything from [a-z] or [A-Z] or [0-9] and some other characters such as "_ "or "-", so we let these ranges in and define a maximum length for the address.
>>
>>
>> 3. Reject Known bad:
>>
>> We have a list of known bad values we do not wish to be entered into the system. This occurs on freeform text areas and areas where a user may write a note. The weakness of this model is that today known bad may not be sufficient for tomorrow.
>>
>>
>> 4. Encode Known Bad:
>>
>> This is the weakest approach. This approach accepts all input but HTML encodes any characters within a certain character range. HTML encoding is done so if the input needs to be redisplayed the browser shall not interpret the text as script, but the text looks the same as what the user originally typed.
>>
>>
>>
>> 5.HTML-encoding and URL-encoding user input when writing back to the client.
>>
>> In this case, the assumption is that no input is treated as HTML and all output is written back in a protected form. This is sanitisation in action.
>>
>>
>>
>>
>> Also,Stinger (www.owasp.org/index.php/Category:OWASP_Stinger_Project) and ESAPI (www.owasp.org/index.php/ESAPI ) can be of good help.
>>
>>
>>
>> Thanks & Regards
>> Swatej Kumar
>>
>>
>>
>>
>>
>>> >> >> On Jun 10, 2009 1:15pm, Chaitanya <chaitanya.sharma at gmail.com>
>>> wrote:
>>> >> >> > Hi.
>>> >> >> >
>>> >> >> > I'm looking for help (tuts, papers, comments etc) related to using
>>> >> >> > whitelists for protection against XSS. ?I need to help some UI
>>> >> >> > developers
>>> >> >> > implement whitelists in a java (JSP) project. ?Any help from the
>>> >> >> > community
>>> >> >> > will be appreciated. I'm sure this discussion will also profit
>>> >> >> > others.
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> > Regards,
>>> >> >> > Chaitanya
>>> >> >> >
>>> >> >> > http://blog.chaitanyasharma.in
>>> >> >> >
>>> >> >> _______________________________________________
>>> >> >> OWASP-Bangalore mailing list
>>> >> >> OWASP-Bangalore at lists.owasp.org
>>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>>> >> >>
>>> >> >
>>> >> >
>>> >> > _______________________________________________
>>> >> > OWASP-Bangalore mailing list
>>> >> > OWASP-Bangalore at lists.owasp.org
>>> >> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>>> >> >
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> warm regards,
>>> >> Akash Mahajan
>>> >> ----------------------------------------------------------
>>> >> Security Consultant, (Web / Networks /
>>> >> Servers / IT/ Virtualization)
>>> >> Founder Headstart Network Foundation
>>> >> ----------------------------------------------------------
>>> >> http://www.linkedin.com/in/akashm
>>> >> http://network.headstart.in
>>> >> ----------------------------------------------------------
>>> >> _______________________________________________
>>> >> OWASP-Bangalore mailing list
>>> >> OWASP-Bangalore at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>>> >
>>> >
>>> > _______________________________________________
>>> > OWASP-Bangalore mailing list
>>> > OWASP-Bangalore at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> warm regards,
>>> Akash Mahajan
>>> ----------------------------------------------------------
>>> Security Consultant, (Web / Networks /
>>> Servers / IT/ Virtualization)
>>> Founder Headstart Network Foundation
>>> ----------------------------------------------------------
>>> http://www.linkedin.com/in/akashm
>>> http://network.headstart.in
>>> ----------------------------------------------------------
>>> _______________________________________________
>>> OWASP-Bangalore mailing list
>>> OWASP-Bangalore at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090610/1f1868eb/attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Wed, 10 Jun 2009 05:41:00 -0700 (PDT)
>> From: Sudhiranjan Mandal <sudhiranjan1959 at yahoo.com>
>> Subject: [OWASP-Bangalore] Reg New virus
>> To: owasp-bangalore at lists.owasp.org
>> Message-ID: <705975.40244.qm at web32107.mail.mud.yahoo.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Dear all,
>> ?There appears to be some confusion as to why?I sent the message to the mailing list?with an attachment.
>> ?I had myself received it from another source,and saved the message,in my reference files,before sending it to this group.
>> ?I am sending the file again,this time as a 'cut and paste' ,below
>> ?
>> The newest virus circulating is the UPS/Fed Ex
>> Delivery Failure. You will
>> receive an email from UPS/Fed Ex Service along with a
>> packet number.. It will
>> say that they were unable to deliver a package sent to you
>> on such-and-such a
>> date. It then asks you to print out the invoice copy
>> attached.
>> DON'T TRY TO PRINT THIS. IT LAUNCHES THE VIRUS!
>> Pass this warning on to all your PC operators
>> at work and home. This virus has caused Millions of
>> dollars in damage in the
>> past few days.
>> ?
>> ?Snopes confirms that it is real.
>> ?http://www.snopes.com/computer/virus/ups.asp
>>
>>
>> ?
>>
>>
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090610/d7172edd/attachment-0001.html
>>
>> ------------------------------
>>
>> _______________________________________________
>> OWASP-Bangalore mailing list
>> OWASP-Bangalore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>>
>>
>> End of OWASP-Bangalore Digest, Vol 19, Issue 16
>> ***********************************************
>>
>>
>> Information transmitted by this e-mail is proprietary to MphasiS, its associated companies and/ or its customers and is intended
>> for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or
>> exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded
>> to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly
>> prohibited. In such cases, please notify us immediately at mailmaster at mphasis.com and delete this mail from your records.
>>
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> OWASP-Bangalore mailing list
>> OWASP-Bangalore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>>
>>
>> End of OWASP-Bangalore Digest, Vol 19, Issue 18
>> ***********************************************
>>
>
>
> ------------------------------
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
>
> End of OWASP-Bangalore Digest, Vol 19, Issue 19
> ***********************************************
>
>
> Information transmitted by this e-mail is proprietary to MphasiS, its associated companies and/ or its customers and is intended
> for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or
> exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded
> to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly
> prohibited. In such cases, please notify us immediately at mailmaster at mphasis.com and delete this mail from your records.
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>


More information about the OWASP-Bangalore mailing list