WebApp Sec mailing list archives
Re: Fixing XSS Vulns
From: "Steven M. Christey" <coley () mitre org>
Date: Fri, 12 Aug 2005 17:56:17 -0400 (EDT)
Encoding on capture can also have a side effect that your output might
wind up being double-encoded, which usually is not a security problem,
but when you want to present a literal "<" to a user, you could wind
up presenting ">" instead, or an unreadable "#38;". Lots of
securty web sites have this minor but notable issue; CVE's search
engine once had it, and some of CVE's automatically extracted
references have ">" as a result of double-encoding on other sites.
The fix for that issue still involves identifying all the input/output
areas of the application.
In addition, encoding things for XSS could actually help in exploit of
other issues if the data winds up being used in another context,
although I don't recall seeing any public vulnerabilities reported.
Consider a ">" that gets encoded to ">" before a process executes
commands - that could be an avenue for OS command injection.
To my way of thinking, you ultimately can't get out of taking data at
all input borders and immediately decoding to the application's
internal representation, then only encoding just before crossing
output borders, and *only* doing the appropriate encoding for the
needed representation for the output, and then ensuring that each
distinct component does this properly. One implication for design
might be to keep all "cross-border" transactions as centralized as
possible, but I don't know how easy this can be done in practice. Not
sure if this paragraph makes sense, so I apologize ahead of time.
And as I've noted before, over-reliance on white lists can fail if you
apply a white list for representation "X" to an input that's later
used for representation "Y". The phone number white list as noted by
Stephen de Vries, for example, is subject to argument injection *if*
the phone number is passed on a command line, and it's subject to data
file corruption *if* "(" or "-" characters are special in the data
file's format. The white list can't entirely fix cross-border
problems, although it obviously helps and should be done whenever
possible.
- Steve
Current thread:
- Fixing XSS Vulns wilsonc (Aug 12)
- Re: Fixing XSS Vulns Petko Petkov (Aug 12)
- Re: Fixing XSS Vulns RSnake (Aug 12)
- Re: Fixing XSS Vulns Tim (Aug 12)
- Re: Fixing XSS Vulns Stephen de Vries (Aug 12)
- RE: Fixing XSS Vulns yeesan wong (Aug 14)
- <Possible follow-ups>
- RE: Fixing XSS Vulns Smith, Johnathon (KEYPEOPLE RESOURCES INC) (Aug 12)
- Re: Fixing XSS Vulns Steven M. Christey (Aug 12)
- Re: Fixing XSS Vulns Tim (Aug 13)
- RE: Fixing XSS Vulns Jeff Robertson (Aug 12)
- RE: Fixing XSS Vulns Cyrill Osterwalder (Aug 15)