XSS Blacklist - Is anyone aware of a reasonable one?

Question

As a temporary quick fix to mitigate the major risk while working on the permanent fix for XSS Vulnerability in a very large code base, I'm looking for a pre-existing XSS prevention blacklist that does a reasonable job of protecting against XSS.

Preferably a set of Regular Expressions. I'm aware of plenty of cheat sheets for testing and smoke tests etc, what I'm looking for is pre-tuned regexps for blocking the attacks.

I am fully aware that the best way is output escaping or if you need some markup from users to use whitelisting. But, with the size of the code base, we need something in quick to reduce the immediate footprint of the vulnerability and raise the bar whilst working on the real solution.

Is anyone aware of a good set?

Answer 1

Here is one: http://ha.ckers.org/xss.html but i don't know if it's complete.

CAL9000 is another list where you could find something like that.

Answer 2

I realise this may not be a direct answer to your question, but ASP.NET developers in a similar situation may find this useful:

Microsoft Anti-Cross Site Scripting Library V1.5

This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The principle of inclusions approach provides a high degree of protection against XSS attacks and is suitable for Web applications with high security requirements.

Answer 3

If you run Apache you could use mod_security to close some holes. At least it would provide you with a tool (the console or a plain logfile) to monitor the traffic and to react before it's too late. Also, gotroot.com has a couple interesting rules for web applications.

Then again, I don't really know what kind of holes you are closing.

Answer 4

The cheat sheet at ha.ckers.org/xss.html is not complete. A colleague of mine found one or two that aren't on there. RSnake does list many of the regex filters each attack string gets past. Use a few and you may close enough holes.

It would be a good starting place. If nothing else, to know what kinds of things you need to be looking for.

Use it as a place to start and make sure the scripts you write escape enough characters to make any attacks your blacklists miss rendered benign. What good is xss injection if no browser renders it?

In reality escaping enough of the right characters goes most of the way here. It's quite hard to inject XSS into a script that turns every < into a < and escapes " into ".

Answer 5

Not sure if you're using PHP, but if so you should look at HTMLPurifer. It's extremely simple to use; just add a call to the purify() method where you accept your input, or where you output it. Its whitelist-based approach blocks every XSS attack I've tested it against.

Answer 6

What you want is an IDS (Intrusion detection system). If you're using PHP, there is PHPIDS. It's maintained and tested by an excellent hacker community. They have been throwing all kinds of things at it to improve the filters, well beyond Rsnake's original list. There was also a .NET port somewhere, not sure if it's still maintained.