XSS Attacks
December 7, 2005 12:07 AM   Subscribe

Cross Site Scripting (XSS) Filter Tests Are you in charge of a system that allows users to enter comments? Here's a huge list of techniques that may be used against you (or, "why you shouldn't use regex").
posted by null terminated (9 comments total)
We try them here right?
posted by holloway at 1:47 AM on December 7, 2005

all in one nifty site, thanks null terminated.
posted by dabitch at 2:02 AM on December 7, 2005

Ouch, this is going to take some reading. Thanks null terminated.
posted by NinjaPirate at 2:42 AM on December 7, 2005

You know, I was expecting this to be simple to read and in layman's terms. Basically a "if you want to prank a MeFi thread, do as follows..." But it's for hackers to maliciously attack innocent websites?! Well, I'm completely incapable of taking advantage of that, and therefore I hate this post. I object to any post that knows anything I don't.
posted by shmegegge at 3:57 AM on December 7, 2005

Why shouldn't I use regular expressions?
posted by melt away at 5:49 AM on December 7, 2005

melt, essentially, writing a regex to 'remove badness', one that removes all possible attack vectors, wouldn't work, as this site is very graphically showing. Covering all the possible permutations that can be used to evade that kind of filter would be essentially impossible.

A regex to 'allow goodness', might work, but as this site is also showing, just figuring out what's safe to allow isn't easy. This is almost certainly why many web forums use the [] syntax, rather than true HTML, because the interpretation and parsing of [] codes are up the server, not the client. An attacker wouldn't be able to inject weird HTML codes, because the server doesn't allow any real HTML in its messages at all. It's still possible to exploit this model, given some kind of parsing bug on the server, but it's a lot harder and much less likely to be very damaging.

MeFi seems to allow most HTML, so it would, sadly, probably be vulnerable to many of the attacks on this site.
posted by Malor at 6:55 AM on December 7, 2005

Holy crap, that's thorough! Thanks!
posted by kokogiak at 7:35 AM on December 7, 2005

Malor - unfortunately yes, there's context
posted by NinjaPirate at 7:36 AM on December 7, 2005

NinjaPirate: eh? That's like saying that someone's house is open to a cat burglary if they got rammed by a truck. Totally different attack vectors... not allowing HTML at all is paranoid.
posted by Firas at 7:45 PM on December 7, 2005 [1 favorite]

« Older Supported by Mother   |   he was a stargazer Newer »

This thread has been archived and is closed to new comments