views:

128

answers:

2

Hi

I just don't know what to think anymore. It seems like the people who made javascript went out of their way to allow it to be written a million different ways so hackers can have a field day.

I finally got my white list up by using html agility pack. It should remove

<scrpit></script>

As it is not in my white list plus any onclick,onmouse and etc.

However now it seems you can write javascript in the attribute tags.

<IMG SRC="javascript:alert('hi');">

and since I allow SRC attributes my white list can't help me on this. So I came up with the idea to go through all valid attributes at the end and look inside them.

So it would find all my allowed attributes for every html tag( so src,href and etc).

I then found the innertext and put it to lowercase. I then did a index check on this string for "javascript".

If an index was found I started at that index and removed every character from that index on. So in the above case the attribute would be left with Src="".

Now it seems that is not good enough since you can do something like

java script jav ascript

and probably a space between every letter.

So I don't know how to stop it. If it was just a space between java and script then I could just write a simple regex that did not care how many spaces between. But if it is really that you can put a space or tab or whatever after each letter then I have no clue.

Then to top it off you can do all these other great ways too

   <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> // will work apparently
    <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> // will work apparently
    <IMG SRC="jav    ascript:alert('XSS');"> // will work apparently
    <IMG SRC="jav&#x09;ascript:alert('XSS');">// will work apparently
    <IMG SRC="jav&#x0A;ascript:alert('XSS');"> // will work apparently
    <IMG SRC="jav&#x0D;ascript:alert('XSS');"> // will work apparently

http://ha.ckers.org/xss.html

I know this is for some cross scripting attack( I am not making an XSS asp.net mvc does a good job of this already) but I don't see why it can't be use for other things like like in all those examples it makes alerts so it could be used for something else.

So I have no clue how to check and remove any of these.

I am using C# but I don't know how to stop any of these and don't know of anything in C# that could help me out.

A: 

make a page say redir Now after form submission take all src attribute's value and replace it with redir?src=theExactValueHere now that redir program First downloads the value of GET parameter src (Which is eventually the actual src attribute's Value) from serverside and then Forward's the Content as it is including the exact same MIME/type it can also do some Checking on the attribute's value and then Header Redirection too.

There are even more ways But I think This would be simplest and Reliable too.

+7  A: 

Seems you want to clean out javascript, and for that there is in fact a nice solution for you in C#/.Net.

Download Microsoft Web Protection Library from CodePlex.

If you run your html fragment thru Microsoft.Security.Application.AntiXss.GetSafeHtmlFragment(html) then you will end up with this output:

<img src=""> // will work apparently
<img src=""> // will work apparently
<img src=""> // will work apparently
<img src="">// will work apparently
<img src=""> // will work apparently
<img src=""> // will work apparently

All script cleaned out.

Mikael Svenson
Hmm this looks cool. It talks about a white list does it have white listing capability? I made a white list through html agility pack and now am I wondering if this could have done it all.
chobo2
You have any tutorials on how to use it and what it can do?
chobo2
I haven't used it that much, but download the source code from http://wpl.codeplex.com/SourceControl/list/changesets and check out the docs and sample apps.
Mikael Svenson