lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: bitlance_3 at hotmail.com (bitlance winter)
Subject: [anti-XSS]about CERT/CC:malicious_code_mitigation

Hello LIST.

It is my sad story.
I feel that there is the necessity for to learn about XSS.
I must learn about malicious content mitigation.
Again and again I have read the advisory,
"[CERT/CC] Understanding Malicious Content Mitigation
for Web Developers".

The advisory is here.
http://www.cert.org/tech_tips/malicious_code_mitigation.html.

First, I read the "Sample Filtering Code".
and the "Identifying the Special Characters".
http://www.cert.org/tech_tips/malicious_code_mitigation.html#8
http://www.cert.org/tech_tips/malicious_code_mitigation.html#4

There is a Perl Example.

===quoted begin===

#! The first function takes the negative approach.
#! Use a list of bad characters to filter the data
sub FilterNeg {
    local( $fd ) = @_;
    $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
    return( $fd ) ;
}

===SNIP===

$Data = "This is a test string<script>";
$Data = &FilterNeg( $Data );
print "$Data\n";

===quoted end===

I have understood that bad characters are
< > " ' % ; ) ( & +

Again, I read the section, "Identifying the Special Characters".
http://www.cert.org/tech_tips/malicious_code_mitigation.html#4

===quoted begin===

Within the body of a <SCRIPT> </SCRIPT>
The semicolon, parenthesis, curly braces, and new line should be
filtered in situations where text could be inserted directly
into a preexisting script tag.

===quoted end===

I think that this is a important point, when user's input text
could be inserted into a script tag.

I have rewrote the Perl example named "FilterNeg".
I have to add the filterling rule.

===begin===
# -----------------
# FilterNeg
# http://www.cert.org/tech_tips/malicious_code_mitigation.html
# The first function takes the negative approach.
# Use a list of bad characters to filter the data
# < > " ' % ; ) ( & +
# filter out  { } [ ] \r \n
# filter out  javascript: vbscript: ../
#
sub FilterNeg {

local( $fd ) = @_;
$fd =~ s/[\<\>\"\'\%\;\)\(\&\+\}\{\]\[\r\n]//g;

while ($fd =~ /\.{2,}\/|javascript:|vbscript:/i) {
$fd =~ s/\.{2,}\///g;
$fd =~ s/javascript://gi;
$fd =~ s/vbscript://gi;
}

return( $fd ) ;
}
====end====

It does in this way. It finished at last.
I have made one Perl script. Please checkout.


===begin===
#!/usr/bin/perl

# please set this CGI name (example: cert.cgi)
# to $cginame
$cginame = "cert.cgi";

if($ENV{'REQUEST_METHOD'} eq 'POST'){
#reads inputted variables through POST
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
}
else{
#reads inputted variables through GET
$buffer = $ENV{'QUERY_STRING'};
}

#splits the variables at &
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {

#sets the value and name of each var
($name, $value) = split(/=/, $pair);

#makes each + into a space
$value =~ tr/+/ /;

#URL decode
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

#filter out bad characters < > " ' % ; ) ( & +
#filter out { } [ ] \r \n
#filter out javascript: vbscript: ../
$value = &FilterNeg( $value );

#sets the varibles in a hash
$FORM{$name} = $value;
}

#print html .
print "Set-Cookie: id=sample\; ";
print "expires=Mon, 01-May-2055 12:00:00 GMT;\n";
print "Content-Type: text/html\n";
print "\n";

print "\n\n";
print "<scr";
print "ipt>\n";
print "try\n";
print "{\n";
print "    if (window.self == window.top)\n";
print "        window.location.replace( \"$FORM{'Redirect'}\" )\n";
print "}\n";
print "catch(e){}\n";
print "</scr";
print "ipt>\n\n";

print "<html><head><title>$cginame</title></head>\n";
print "<body>\n";
print "<h2>TITLE</h2>\n";
print "<p>messages.</p>\n";
print "<a href=\"/\">HOME</a><br>\n";
print "<a href=\"javascript:document.cookie\">cookie</a><br>\n";
print "</body></html>";

exit;

# -----------------
# FilterNeg
# http://www.cert.org/tech_tips/malicious_code_mitigation.html
# The first function takes the negative approach.
# Use a list of bad characters to filter the data
# < > " ' % ; ) ( & +
# filter out { } [ ] \r \n
# filter out javascript: vbscript: ../
#
sub FilterNeg {

local( $fd ) = @_;
$fd =~ s/[\<\>\"\'\%\;\)\(\&\+\}\{\]\[\r\n]//g;

while ($fd =~ /\.{2,}\/|javascript:|vbscript:/i) {
$fd =~ s/\.{2,}\///g;
$fd =~ s/javascript://gi;
$fd =~ s/vbscript://gi;
}

return( $fd ) ;
}

====end====

I have checked this script, for example,
http://mysite.tld/cert.cgi?Redirect=http://www.example.com/
http://mysite.tld/cert.cgi?Redirect=./somefile

That is Good.
(Tested on InternetExplorer,Opera,Firefox,etc.)

And I have checked XSS issues.
Now I am sad. I have found a XSS issue.
It is not good.

Example URL:
http://mysite.tld/cert.cgi?
Redirect=%5C152avascript:alert%5C50document.cookie%5C51


=== again CERT/CC advisory ===

Within the body of a <SCRIPT> </SCRIPT>
The semicolon, parenthesis, curly braces, and new line should be
filtered in situations where text could be inserted directly
into a preexisting script tag.

=== end ======================

Please teach me truth.

Thank you for your reading this mail.
Best Regards.

--
bitalance

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ