WebApp Sec mailing list archives
Re: [Re: AppSec FAQ at OWASP]
From: Omarjan Ismail <isumai-u () is aist-nara ac jp>
Date: 29 Jan 2004 21:03:26 -0000
In-Reply-To: <310iaCqnW6720S13.1075394388 () uwdvg013 cms usa net>
Received: (qmail 10717 invoked from network); 29 Jan
2004 16:27:08 -0000
Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 29 Jan 2004 16:27:08 -
0000
Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP id 22C9AA30B8; Thu, 29 Jan 2004 09:39:26 -0700 (MST) Mailing-List: contact webappsec-help () securityfocus com; run
by ezmlm
Precedence: bulk List-Id: <webappsec.list-id.securityfocus.com> List-Post: <mailto:webappsec () securityfocus com> List-Help: <mailto:webappsec-help () securityfocus com> List-Unsubscribe: <mailto:webappsec-
unsubscribe () securityfocus com>
List-Subscribe: <mailto:webappsec-
subscribe () securityfocus com>
Delivered-To: mailing list webappsec () securityfocus com Delivered-To: moderator for webappsec () securityfocus com Received: (qmail 7398 invoked from network); 29 Jan
2004 17:04:51 -0000
X-USANET-Auth: 165.212.8.13 AUTO
sangita.pakala () paladion net uwdvg013.cms.usa.net
Date: Thu, 29 Jan 2004 22:09:48 +0550 From: Sangita Pakala <sangita.pakala () paladion net> To: <isumai-u () is aist-nara ac jp> Subject: Re: [Re: AppSec FAQ at OWASP] Cc: <webappsec () securityfocus com> X-Mailer: USANET web-mailer (CM.0402.7.03) Mime-Version: 1.0 Message-ID:
<310iaCqnW6720S13.1075394388 () uwdvg013 cms usa net>
Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =E3=82=AA=E3=83=9E=E3=83=AB
=E3=82=A4=E3=82=B9=E3=83=9E=E3=82=A4=E3=83=AB=
<isumai-u () is aist-nara ac jp> wrote:I would like to know that how you deal with the false positive? In the case of " <img src=3D "javascript: preview(....)> or
<img =
src=3D"javascript:window.close()>..etc..etc.. If you escape the "(" and ")" that means you render out the
harmless =
Javascript too.I'm not sure if I've understood the issue, so pls correct me if I'm
wrong=
=2E You would not escape *every* '<' or '(' in the html page. You would
only esca=
pe those which come from user-supplied inputs in the first place. I
assume t=
hat the harmless calls to preview() and window.close() are *not* user
supplie=
d inputs, but part of the html page template. So, there shouldn't
be false
positives escaping '(' and ')' from content that came from user-
supplied
inputs. Thanks, Sangita.
Sorry for not clearing up my question. When I asked the question I was reading a paper about how to detect and prevent XSS by scanning HTTP request and response messages, so I was assuming that the escape occurs whenever there is "(" and ")" in the server responded HTML pages. My mistake. After I read the FAQ: While I agree that it is an effective way to prevent XSS while coding the application. But due to the dynamic features of web applications from different vendors and developers, it is very uncertain to say whether their products are immune or always immune for XSS attacks, let alone those already existing Web applications that don't validating user input field. Also, there are always some tricks that bypass the validation mechanism of those Web application. The recent report on how Hotmail failed to validated the "--<link" and "--<iframe" in user field is a good example. So I think it maybe the best way to prevent XSS by using the Web application level firewall(if there is one). Regards ~~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~ Omar ISMAIL Internet Engineering Lab, Graduate School of Information Science Nara Institute of Science and Technology Nara, Japan, 630-0101 Isumai-u () is aist-nara ac jp ~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~~~
Current thread:
- Re: [Re: AppSec FAQ at OWASP] Sangita Pakala (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Omar Ismail (Jan 29)
- <Possible follow-ups>
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Philippe P. (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Philippe Prados (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Ulf Härnhammar (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Omarjan Ismail (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 30)