Geek Answers Handbook

How do you battle all of these ways? -Javascript and its million different ways you can write

I just don't know what to think anymore. It seems that the people who made javascript have gone out of their way to allow it to be written in millions of ways so that hackers can have a field day.

I finally got my whitelist using the html agility pack. He must remove

<scrpit></script>

It’s not on my white list, plus any onclick, onmouse, etc.

However, it now seems that you can write javascript in attribute tags.

 <IMG SRC="javascript:alert('hi');">

and since I allow SRC attributes, my whitelist cannot help me. So I came up with the idea to go through all the valid attributes at the end and look inside them.

This way it will find all my allowed attributes for each html tag (so src, href, etc.).

Then I found the inner text and placed it in lowercase. Then I performed an index check on this line for "javascript".

If an index was found, I started with that index and removed every character from that index. Thus, in the above case, the attribute would remain with src = "".

Now it seems that this is not good enough, since you can do something like

java script jav ascript

and probably a space between each letter.

Therefore, I do not know how to stop this. If it was just the space between java and the script, then I could just write a simple regular expression that didn't care how many spaces between them. But if this is true, you can put a space or tab or something else after each letter, then I don’t know.

Then, to complete this, you can do all these other wonderful ways.

  <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> // will work apparently <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> // will work apparently <IMG SRC="jav ascript:alert('XSS');"> // will work apparently <IMG SRC="jav&#x09;ascript:alert('XSS');">// will work apparently <IMG SRC="jav&#x0A;ascript:alert('XSS');"> // will work apparently <IMG SRC="jav&#x0D;ascript:alert('XSS');"> // will work apparently

http://ha.ckers.org/xss.html

I know that this is for some kind of attack with several scripts (I do not do XSS asp.net mvc, it works well), but I do not understand why it cannot be used for other things, for example, warnings are made in all these examples therefore they can be used for something else.

So, I have no idea how to check and remove any of them.

I use C #, but I don’t know how to stop any of them and I don’t know anything about C # that could help me.

+7
javascript security c # asp.net-mvc
source share
2 answers

It seems you want to clear javascript, and for this, this is actually a good solution for you in C # /. Net.

Download the Microsoft Web Protection Library from CodePlex.

If you run your html fragment through Microsoft.Security.Application.AntiXss.GetSafeHtmlFragment(html) , you will get this result:

 <img src=""> // will work apparently <img src=""> // will work apparently <img src=""> // will work apparently <img src="">// will work apparently <img src=""> // will work apparently <img src=""> // will work apparently

All script cleared.

+6
source share

make the page, they say redir Now, after submitting the form, take the entire value of the src attribute and replace it with redir?src=theExactValueHere now that the redir program first downloads the value of the GET src parameter (which ultimately is the actual value of the src attribute) from the server, and then forwards the content, since it includes the same MIME / type, it can also do some verification of the attribute value and then redirect the header.

There are even more ways, but I think it will be easier and more reliable.

0
source share

More articles:


All Articles