Not another XSS filter
What is Cross Site Scripting? Read about it on Wikipedia :)
But know - the browser is to blame for everything. It doesn’t matter whether it supports HTML5 or still does not understand PNG transparency. Well, since the client is always right, I will tell you how to properly filter thebazaar content.
The XSS philosophy is such that the text is not “by the rules” used to inject malicious code onto a page. What they should be:
It's all from the main, in more detail about the existing types of attacks can be read here.
')
Most XSS prevention solutions use hard filtering of potentially hazardous structures.
But let's look at this example:
The danger level of this code is zero. However, CodeIgniter will return the following (in other frameworks it did not check, it will be useful to read in the comments):
So the sparrow from the gun CodeIgniter killed.
Recently, I am developing my Platcode framework. But here I did not come to promote it, but to tell about my own XSS filter .
The principle of operation is simple - we parse the input string into tags / attributes / values, then apply filters to remove dangerous tags and attribute values. Thus, we omit redundant filtering throughout the text and make targeted changes in tags / attributes separately. In this case, the above example will retain its original appearance. And the customer will be happy.
Of the filter features:
The code, however, is very poorly documented, but the functionality is 100% workable. To whom it is interesting to participate in a project or hack a XSS filter, write in a personal.
UPD.
To test the XSS filter Yes will not descend on a habra effect :)
UPD2.
Thanks to the habrasoobshchestvu catching and fixing bugs go nostril to the nostril.
Respect to users: insa , isis , recompileme , floppyformator , ICQ: 32523553
But know - the browser is to blame for everything. It doesn’t matter whether it supports HTML5 or still does not understand PNG transparency. Well, since the client is always right, I will tell you how to properly filter the
A bit about XSS
The XSS philosophy is such that the text is not “by the rules” used to inject malicious code onto a page. What they should be:
- The tag name is separated from the attributes by \ r \ t \ n \ s characters only:
< a href ="http://habrahabr.ru" > Click </ a > <!-- -->
< a \ href ="XSS" > Click </ a > <!-- --> - HTML Entities presented in decimal / hexadecimal forms should be converted to their usual form:
&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;
javascript - There is a set of tags that should not be on the user’s page. Here you should not forget about HTML5, in which there are tags (for example, audio, video) that allow an attacker to download the code into the browser by replacing the resource with a scriptlet.
- Prevent use of DOM events.
- The ban on the inclusion of javascript in the inline attribute or (attention!) Vbscript.
- Prohibit the use in style of such IE-crafts as "expression" or CSS3 "behavior"
It's all from the main, in more detail about the existing types of attacks can be read here.
')
How can I defend myself?
Most XSS prevention solutions use hard filtering of potentially hazardous structures.
But let's look at this example:
< a href = http: // habrahabr . ru > javascript:alert("Hello"); </ a >The danger level of this code is zero. However, CodeIgniter will return the following (in other frameworks it did not check, it will be useful to read in the comments):
< a > [removed]alert("Hello"); </ a >So the sparrow from the gun CodeIgniter killed.
There is a more flexible filter
Recently, I am developing my Platcode framework. But here I did not come to promote it, but to tell about my own XSS filter .
The principle of operation is simple - we parse the input string into tags / attributes / values, then apply filters to remove dangerous tags and attribute values. Thus, we omit redundant filtering throughout the text and make targeted changes in tags / attributes separately. In this case, the above example will retain its original appearance. And the customer will be happy.
Of the filter features:
- removing "dangerous" tags
- remove inline javascript / vbscript
- removing the style attribute containing the expression behavior
- converting tag / attribute names to lowercase
- deletion of empty attributes
- automatic creation of closing tags
- conversion of single tags of the form <br> to <br />
The code, however, is very poorly documented, but the functionality is 100% workable. To whom it is interesting to participate in a project or hack a XSS filter, write in a personal.
UPD.
To test the XSS filter Yes will not descend on a habra effect :)
UPD2.
Thanks to the habrasoobshchestvu catching and fixing bugs go nostril to the nostril.
Respect to users: insa , isis , recompileme , floppyformator , ICQ: 32523553
Source: https://habr.com/ru/post/70795/
All Articles