Re: [Re: AppSec FAQ at OWASP]

[Omarjan Ismail <isumai-u () is aist-nara ac jp>]

In-Reply-To: <310iaCqnW6720S13.1075394388 () uwdvg013 cms usa net>

> Received: (qmail 10717 invoked from network); 29 Jan 
2004 16:27:08 -0000
> Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 29 Jan 2004 16:27:08 -
0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 22C9AA30B8; Thu, 29 Jan 2004 09:39:26 -0700 (MST)
> Mailing-List: contact webappsec-help () securityfocus com; run 
by ezmlm
> Precedence: bulk
> List-Id: <webappsec.list-id.securityfocus.com>
> List-Post: <mailto:webappsec () securityfocus com>
> List-Help: <mailto:webappsec-help () securityfocus com>
> List-Unsubscribe: <mailto:webappsec-
unsubscribe () securityfocus com>
> List-Subscribe: <mailto:webappsec-
subscribe () securityfocus com>
> Delivered-To: mailing list webappsec () securityfocus com
> Delivered-To: moderator for webappsec () securityfocus com
> Received: (qmail 7398 invoked from network); 29 Jan 
2004 17:04:51 -0000
> X-USANET-Auth: 165.212.8.13    AUTO 
sangita.pakala () paladion net uwdvg013.cms.usa.net
> Date: Thu, 29 Jan 2004 22:09:48 +0550
> From: Sangita Pakala <sangita.pakala () paladion net>
> To: <isumai-u () is aist-nara ac jp>
> Subject: Re: [Re: AppSec FAQ at OWASP]
> Cc: <webappsec () securityfocus com>
> X-Mailer: USANET web-mailer (CM.0402.7.03)
> Mime-Version: 1.0
> Message-ID: 
<310iaCqnW6720S13.1075394388 () uwdvg013 cms usa net>
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
>
> =E3=82=AA=E3=83=9E=E3=83=AB 
=E3=82=A4=E3=82=B9=E3=83=9E=E3=82=A4=E3=83=AB=
> <isumai-u () is aist-nara ac jp> wrote:
> > I would like to know that how you deal with the false positive?
> > In the case of " <img src=3D "javascript: preview(....)> or 
<img =
> > src=3D"javascript:window.close()>..etc..etc..
> > If you escape the "(" and ")" that means you render out the 
harmless =
> > Javascript too.
>
>
> I'm not sure if I've understood the issue, so pls correct me if I'm 
wrong=
> =2E You
> would not escape *every* '<' or '(' in the html page. You would 
only esca=
> pe
> those which come from user-supplied inputs in the first place. I 
assume t=
> hat
> the harmless calls to preview() and window.close() are *not* user 
supplie=
> d
> inputs, but part of the html page template. So, there shouldn't 
be false
> positives escaping '(' and ')' from content that came from user-
supplied
> inputs.
>
> Thanks,
> Sangita.

Sorry for not clearing up my question. When I asked the question I 
was reading a paper about
how to detect and prevent XSS by scanning  HTTP request and 
response messages, so I was assuming
that the escape occurs whenever there is "(" and ")" in the server 
responded HTML pages.

My mistake.

After I read the FAQ:

While I agree that it is an effective way to prevent
XSS while coding the application. But
due to the dynamic features of web applications
from different vendors and developers, it is
very uncertain to say whether their products are immune or 
always immune
for XSS attacks, let alone those already existing Web applications 
that don't validating
user input field.

Also, there are always some tricks that bypass the validation 
mechanism of those Web application.
The recent report on how Hotmail failed to validated the "--<link" 
and "--<iframe" in user field is a good example.
So I think it maybe the best way to prevent XSS by using the  Web 
application level firewall(if there is one).


Regards
~~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~
Omar ISMAIL
Internet Engineering Lab,
Graduate School of Information Science
Nara Institute of Science and Technology
Nara, Japan, 630-0101

Isumai-u () is aist-nara ac jp

~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~~~