• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Input XSS failing the Hackers Test

#1
[eluser]Xeoncross[/eluser]
I just tried the input class and I was surprised that it failed MANY TIMES on the Hackers XSS cheat sheet. FF 3 and Chrome didn't register the attacks - but IE 6 did. IE 6 is still very much in use so I don't know why this class hasn't been patched...?


Code:
//http://ha.ckers.org/xssAttacks.xml
print $this->input->xss_clean($text);

http://ha.ckers.org/xss.html

#2
[eluser]sholsinger[/eluser]
Do you suggest using the XSS filter function proposed by one of the authors of that site? He claims to have given it to the public domain.

Code:
function RemoveXSS($val) {
   // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
   // this prevents some character re-spacing such as <java\0script>
   // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
   $val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val);
  
   // straight replacements, the user should never need these since they're normal characters
   // this prevents like <IMG >
   $search = 'abcdefghijklmnopqrstuvwxyz';
   $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
   $search .= '1234567890!@#$%^&*()';
   $search .= '~`";:?+/={}[]-_|\'\\';
   for ($i = 0; $i < strlen($search); $i++) {
      // ;? matches the ;, which is optional
      // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
  
      // &#x0040;@ search for the hex values
      $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ;
      // @@ 0{0,7} matches '0' zero to seven times
      $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
   }
  
   // now the only remaining whitespace attacks are \t, \n, and \r
   $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
   $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
   $ra = array_merge($ra1, $ra2);
  
   $found = true; // keep replacing as long as the previous round replaced something
   while ($found == true) {
      $val_before = $val;
      for ($i = 0; $i < sizeof($ra); $i++) {
         $pattern = '/';
         for ($j = 0; $j < strlen($ra[$i]); $j++) {
            if ($j > 0) {
               $pattern .= '(';
               $pattern .= '(&#[xX]0{0,8}([9ab]);)';
               $pattern .= '|';
               $pattern .= '|(�{0,8}([9|10|13]);)';
               $pattern .= ')*';
            }
            $pattern .= $ra[$i][$j];
         }
         $pattern .= '/i';
         $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag
         $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
         if ($val_before == $val) {
            // no replacements were made, so exit the loop
            $found = false;
         }
      }
   }
   return $val;
}

#3
[eluser]drewbee[/eluser]
Whoa thanks for pointing out such a comprehensive list for XSS injection types. I hope the guys at CI take notice of this.

#4
[eluser]Derek Jones[/eluser]
Xeoncross, we actually use that cheat sheet as one of our testing metrics. Would you mind emailing me (msg button on the left) which of the attacks you are seeing get through in IE6? Please don't reply with the details in this thread, so as to not invite script kiddies to try attacks on live sites.

#5
[eluser]TWP Marketing[/eluser]
Xeoncross and Derek,
Would you mind posting a message re this thread about how to apply any fix, such as the code posted by Sholsinger? Curious minds want to know before the next version is released...
Tks

#6
[eluser]Xeoncross[/eluser]
Derek said that they would push out this change into SVN today - but I haven't looked yet.

#7
[eluser]Derek Jones[/eluser]
The XSS filter improvements have been committed to the svn.

#8
[eluser]TWP Marketing[/eluser]
Xeocross and Derek,
I love it when I get such quick responses, thanks!

#9
[eluser]Derek Jones[/eluser]
No problem, and for anyone with any security concerns, you can always feel free to email or message any of the development team directly. Thanks to Xeocross for bringing this to our attention!


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.