WebApp Sec mailing list archives

RE: whitelisting HTML tags

From: RSnake <rsnake () shocking com>
Date: Wed, 2 Nov 2005 09:05:43 -0800 (PST)


Allowing src in images doesn't prevent all types XSS, as you can have it
point to a valid looking .jpg or .gif like http://somwhere.com/xss.jpg
with an HTaccess file like:

Redirect 302 /xss.jpg http://victimsite.com/admin.asp&deleteuser

Or you can set up an alias to have it point to a cgi script that has
more intelligence (if you're coming up with the idea to go and validate
if it is a real image file).  If you haven't yet, please check out my
XSS page for lots of ways around common filters, like the one below:
http://ha.ckers.org/xss.html

On Wed, 2 Nov 2005, Jeff Robertson wrote:

This is exactly the sort of thing I'm looking for. Anyone know of any
libraries (preferably in Java) that already do this?

Jeff Robertson
Manager of Web Application Security
Digital Insight

-----Original Message-----
From: Sverre H. Huseby [mailto:shh () thathost com]
Sent: Wednesday, November 02, 2005 10:52
To: Jeff Robertson
Cc: 'webappsec () securityfocus com'
Subject: Re: whitelisting HTML tags


[Jeff Robertson]

|   I need to tell my development to limit the HTML tags allowed in
|   input to a subset that can't be used for XSS.  Any guidelines for
|   this?

You need three levels of whitelisting:

  * For allowed _tags_

  * For allowed _attributes_ for the allowed tags (separate attribute
    whitelist for each tag)

      To avoid e.g.  onload, onclick and stuff

      If you allow an "img" tag, you could allow the "src" and "alt"
      attributes, and discard the rest.

  * For allowed _attribute_values_ for the allowed attributes

      To avoid e.g.  href="javascript:..."

      You would allow src="http:..." and src="ftp:", and discard the
      rest.


Sverre.

--
shh () thathost com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/


-R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any

action taken or omitted to be taken in reliance on it isexpressly prohibited and may be unlawful.

Current thread:

whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Richard Moore (Nov 02)
  - Message not available
    - Re: whitelisting HTML tags Richard Moore (Nov 02)
- Re: whitelisting HTML tags Tomek Perlak (Nov 02)
- Re: whitelisting HTML tags Sverre H. Huseby (Nov 03)
- Re: whitelisting HTML tags bugtraq (Nov 03)
- <Possible follow-ups>
- RE: whitelisting HTML tags Jeff Robertson (Nov 02)
  - Re: whitelisting HTML tags Simon Cornelius P. Umacob (Nov 03)
  - RE: whitelisting HTML tags RSnake (Nov 03)
  - Re: whitelisting HTML tags Tim (Nov 03)
    - Re: whitelisting HTML tags Adam Shostack (Nov 04)
    - Message not available
    - Re: whitelisting HTML tags Adam Shostack (Nov 07)
    - RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
    - RE: whitelisting HTML tags Tim Hollebeek (Nov 07)
- RE: whitelisting HTML tags Evans, Arian (Nov 03)
- RE: whitelisting HTML tags Ory Segal (Nov 03)