mailing list archives
Blacklist defenses as a breeding ground for vulnerability variants
From: "Steven M. Christey" <coley () mitre org>
Date: Fri, 3 Feb 2006 15:07:52 -0500 (EST)
David Litchfield recently provided a detailed description of a number
of vulnerabilities in Oracle PLSQL Gateway. He showed how, each time
the blacklist defense was modified, he was able to find a new variant
that worked around the more restrictive blacklist.
This type of pattern has emerged time and time again, in all classes
of software. A lot of people know this, but I thought it would be
useful to cover a more general example.
An easily demonstrable example is related to cross-site scripting,
which has a rich variety of attacks that involve different syntactic
or semantic manipulations. Blacklist-bypassing variants are
frequently found; this is probably one reason why XSS is so common,
and why some products seem to get hit with XSS issues again and again.
Suppose "Product X" is vulnerable to a basic XSS issue in which the
most obvious manipulation is used:
==== Patch 1 ====
A vendor's first fix might be to strip out all data between "<script>"
and "</script>" - i.e., use a blacklist of known-bad tags.
A subsequent attack might use this manipulation:
==== Patch 2 ====
If Product X wants to support the image tag - which many do - then the
The attacker's next manipulation might be:
which is rendered in some (all?) browsers.
==== Patch 3 ====
OK, so the vendor learns to decode all inputs first, *then* compare
Then this non-standard manipulation would pass:
of blacklist defenses, but still might be rendered by some browsers.
==== Patch 4 ====
OK, so the vendor FINALLY learns to ensure that ONLY "http" URIs are
allowed in the SRC IMG tag.
After THAT issue is fixed, the attacker might try this:
<img src="http://www.example.com/pic.jpg" onmouseover="alert('hi')">
The src tag has an legitimate "http" URL, but the onmouseover
attribute causes problems.
==== Patch 5 ====
OK, so the vendor might extend the blacklist to strip out
"onmouseover" from IMG tags.
Whoops, what about onload?
<img src="http://www.example.com/pic.jpg" onload="alert('hi')">
OK, so the vendor FINALLY learns a lesson about allowing arbitrary
attributes, and restricts img tags to *only* support src, and *only*
for "http" URLs.
==== Patch 6 ====
But maybe the blacklist doesn't apply this to *all* tags.
So the attacker might move to an otherwise innocent-looking tag:
==== Patch 7 ====
Then the vendor finally decides to test all inputs against a
restricted set of supported tags and very limited attributes - i.e. a
Any number of variants could follow, even from this example.
The point is that if you use blacklists, eventually you could be
henpecked by attack variants until you are forced to use whitelists.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Blacklist defenses as a breeding ground for vulnerability variants Steven M. Christey (Feb 03)