WebApp Sec mailing list archives
Re: Fixing XSS Vulns
From: "Steven M. Christey" <coley () mitre org>
Date: Fri, 12 Aug 2005 17:56:17 -0400 (EDT)
Encoding on capture can also have a side effect that your output might wind up being double-encoded, which usually is not a security problem, but when you want to present a literal "<" to a user, you could wind up presenting ">" instead, or an unreadable "#38;". Lots of securty web sites have this minor but notable issue; CVE's search engine once had it, and some of CVE's automatically extracted references have ">" as a result of double-encoding on other sites. The fix for that issue still involves identifying all the input/output areas of the application. In addition, encoding things for XSS could actually help in exploit of other issues if the data winds up being used in another context, although I don't recall seeing any public vulnerabilities reported. Consider a ">" that gets encoded to ">" before a process executes commands - that could be an avenue for OS command injection. To my way of thinking, you ultimately can't get out of taking data at all input borders and immediately decoding to the application's internal representation, then only encoding just before crossing output borders, and *only* doing the appropriate encoding for the needed representation for the output, and then ensuring that each distinct component does this properly. One implication for design might be to keep all "cross-border" transactions as centralized as possible, but I don't know how easy this can be done in practice. Not sure if this paragraph makes sense, so I apologize ahead of time. And as I've noted before, over-reliance on white lists can fail if you apply a white list for representation "X" to an input that's later used for representation "Y". The phone number white list as noted by Stephen de Vries, for example, is subject to argument injection *if* the phone number is passed on a command line, and it's subject to data file corruption *if* "(" or "-" characters are special in the data file's format. The white list can't entirely fix cross-border problems, although it obviously helps and should be done whenever possible. - Steve
Current thread:
- Fixing XSS Vulns wilsonc (Aug 12)
- Re: Fixing XSS Vulns Petko Petkov (Aug 12)
- Re: Fixing XSS Vulns RSnake (Aug 12)
- Re: Fixing XSS Vulns Tim (Aug 12)
- Re: Fixing XSS Vulns Stephen de Vries (Aug 12)
- RE: Fixing XSS Vulns yeesan wong (Aug 14)
- <Possible follow-ups>
- RE: Fixing XSS Vulns Smith, Johnathon (KEYPEOPLE RESOURCES INC) (Aug 12)
- Re: Fixing XSS Vulns Steven M. Christey (Aug 12)
- Re: Fixing XSS Vulns Tim (Aug 13)
- RE: Fixing XSS Vulns Jeff Robertson (Aug 12)
- RE: Fixing XSS Vulns Cyrill Osterwalder (Aug 15)