• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
xss_clean dosen't work propertly

#11
[eluser]Paul Burdick[/eluser]
No, I did understand that, droopy. However, the ability to insert JavaScript that way and the ability to actually perform an XSS Attack are two different things. For example, your alert() will not work, nor will getting cookies because we remove that kind of code. We wanted you to actually show us something that got past the filter and did actual harm. Changing colors was not harmful.

However, it does point out a weakness in the XSS filtering, so we are going to be hard on it and challenge the usage of expression() in submitted data just to be safe.

#12
[eluser]droopy[/eluser]
[quote author="Paul Burdick" date="1182908905"]got past the filter and did actual harm.[/quote]

changing enything in site is harm enought? via dom it's easy to do, even changing some link on site, not linl that is in text i've typed, but any link on the site!

#13
[eluser]Paul Burdick[/eluser]
But changing it to what? When I think of severe level XSS attacks, I am thinking of losing cookies and user data information, not changing links.

I am admitting that this needs to be prevented, and boy do I despise IE for doing this proprietary mess to us, and I am updating the downloadable copy of CI to take it into account.

#14
[eluser]droopy[/eluser]
[quote author="Paul Burdick" date="1182909539"]But changing it to what?[/quote]
for example link to some file to download, user will download the file becouse he thinks, that file is from your page, but in fact it can be a trojan horse form hacker :> user gets infected, and may loose trust to your page...

[quote author="Paul Burdick" date="1182909539"]and boy do I despise IE for doing this proprietary mess to us[/quote]
expressions sometime are very usefull, to fix others bugs in ie with css Wink

#15
[eluser]Paul Burdick[/eluser]
[quote author="droopy" date="1182909972"][quote author="Paul Burdick" date="1182909539"]But changing it to what?[/quote]
for example link to some file to download, user will download the file becouse he thinks, that file is from your page, but in fact it can be a trojan horse form hacker :> user gets infected, and may loose trust to your page...[/quote]

Point. And the CI dev files are now updated.

[quote author="droopy" date="1182909972"][quote author="Paul Burdick" date="1182909539"]and boy do I despise IE for doing this proprietary mess to us[/quote]
expressions sometime are very usefull, to fix others bugs in ie with css Wink[/quote]

That is one of the things that is worrying me about scanning this. It does seem useful and we are now converting it, not by default, but if someone turns on the automatic XSS cleaning then yes.

#16
[eluser]marcoss[/eluser]
[quote author="Paul Burdick" date="1182910105"]That is one of the things that is worrying me about scanning this. It does seem useful and we are now converting it, not by default, but if someone turns on the automatic XSS cleaning then yes.[/quote]

No need to worry about it because it is not something that is likely to be passed trough POST/GET, expression is evaluated either within a style sheet or inside the head section of the document, it will make no harm to filter them by default (if xss is on).

I'm a bit late providing an example, but droopy made the point clear.

Just one more thing, I've noticed that the request will be rejected if it is passed as GET because it will contain illegal characters(permitted_uri_chars), so it won't even pass the router, but with POST the expression is evaluated as expected and code gets executed in IE.

#17
[eluser]marcoss[/eluser]
By the way, I've been recommended htmlpurifier in projects where security is a must, for what I've seen so far it does a pretty good job, but it is not suitable to go into CI core as it is a framework of its own... maybe i could roll a wrapper around it, does anyone have any experience on it?

#18
[eluser]Paul Burdick[/eluser]
[quote author="marcoss" date="1182928718"]No need to worry about it because it is not something that is likely to be passed trough POST/GET, expression is evaluated either within a style sheet or inside the head section of the document, it will make no harm to filter them by default (if xss is on).[/quote]

Actually, we added the new XSS sanitation to the EllisLab sites' ExpressionEngine installation and we got bit by it ourselves when we posted a new build of ExpressionEngine. There are also forums on ExpressionEngine.com that focus on CSS and How To work, so it is a bit more than likely, it should probably be expected.

#19
[eluser]marcoss[/eluser]
[quote author="Paul Burdick" date="1182931507"][quote author="marcoss" date="1182928718"]No need to worry about it because it is not something that is likely to be passed trough POST/GET, expression is evaluated either within a style sheet or inside the head section of the document, it will make no harm to filter them by default (if xss is on).[/quote]

Actually, we added the new XSS sanitation to the EllisLab sites' ExpressionEngine installation and we got bit by it ourselves when we posted a new build of ExpressionEngine. There are also forums on ExpressionEngine.com that focus on CSS and How To work, so it is a bit more than likely, it should probably be expected.[/quote]

Good point. Check this out, PHPIDS.

#20
[eluser]Ambush Commander[/eluser]
Hi, I noticed this thread while trawling my referrer logs. As author of HTML Purifier and having worked in this field, I will say that the blacklist approach you guys are taking currently will require a lot of work to get into a semi-usable state. There's lots of tiny little vectors (such as expression, but also syntax quirks) that will need to be patched. I can almost guarantee that, as it stands right now, it's insecure (190 lines of code + comments is not enough to cover all the edge cases.) If you insist on persisting, I suggest checking out other blacklist HTML filters which have been battle-tested, as well as consulting the XSS cheat sheet to find inventive vectors you may have missed.

Or, take the alternative, and use HTML Purifier. :-) HTML Purifier is kind of big though... you'd be basically doubling your framework size if you package it in, so I don't recommend that. It is, however, a library, not a framework, so it plays well with other libraries/frameworks. Perhaps it could be a "recommended" XSS solution?

On an unrelated note: PHPIDS is quite an interesting application, but it doesn't have any relevance to the topic at hand. As an intrusion detection system, it's goal is to flag suspicious looking requests. It won't filter HTML.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.