Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







WebApp Sec: RE: whitelisting HTML tags

RE: whitelisting HTML tags

From: Evans, Arian <Arian.Evans_at_fishnetsecurity.com>
Date: Wed, 2 Nov 2005 10:56:24 -0600

Jeff,

I spent a lot of time look for one for my personal website,
and I could not find a Java or .NET(insert_syntax) library
to do this. (Rolling_my_own != weekend_freetime)

In the end I selected the Post-NUKE PHP framework because
they had all this pre-rolled. It's very granular. Take a
look at how they've implemented controls. Looking at their
code, I think a c# or java implementation would not be hard.

<aside>
I'm quite fond of it; I allow myself a few more attributes
than users and non-users, as certain of my friends/coworkers
have been known to generate 100's and 1,000's of alerts from
my "app_IDS" module by their attempted "posts". :)

Some were quite creative and helped me identify unusual XSS
opportunities. One XSS I've left active on my site because
(a) it's never going to impact me and
(b) only two people have been able to find it, and not one scanner.
</aside>

A helpful resource in addition to the Post-NUKE code if you
decide to roll-your-own-whitelist include reviewing the XSS
attack variants on:

http://ha.ckers.org/xss.html

Which is also in the awesome new OWASP Guide 2.0.1, which I'm
sure you've probably read.

This will give you a feel for common tag and element injections
if you're not already intimately familiar.

-ae

> -----Original Message-----
> From: Jeff Robertson [mailto:jeff.robertson_at_digitalinsight.com]
> Sent: Wednesday, November 02, 2005 9:55 AM
> To: 'Sverre H. Huseby'
> Cc: 'webappsec_at_securityfocus.com'
> Subject: RE: whitelisting HTML tags
>
>
> This is exactly the sort of thing I'm looking for. Anyone know of any
> libraries (preferably in Java) that already do this?
>
> Jeff Robertson
> Manager of Web Application Security
> Digital Insight
>
>
> > -----Original Message-----
> > From: Sverre H. Huseby [mailto:shh_at_thathost.com]
> > Sent: Wednesday, November 02, 2005 10:52
> > To: Jeff Robertson
> > Cc: 'webappsec_at_securityfocus.com'
> > Subject: Re: whitelisting HTML tags
> >
> >
> > [Jeff Robertson]
> >
> > | I need to tell my development to limit the HTML tags allowed in
> > | input to a subset that can't be used for XSS. Any
> guidelines for
> > | this?
> >
> > You need three levels of whitelisting:
> >
> > * For allowed _tags_
> >
> > * For allowed _attributes_ for the allowed tags (separate
> attribute
> > whitelist for each tag)
> >
> > To avoid e.g. onload, onclick and stuff
> >
> > If you allow an "img" tag, you could allow the "src" and "alt"
> > attributes, and discard the rest.
> >
> > * For allowed _attribute_values_ for the allowed attributes
> >
> > To avoid e.g. href="javascript:..."
> >
> > You would allow src="http:..." and src="ftp:", and discard the
> > rest.
> >
> >
> > Sverre.
> >
> > --
> > shh_at_thathost.com My web security book: Innocent Code
> > http://shh.thathost.com/ http://innocentcode.thathost.com/
> >
>
Received on Nov 03 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]