PDA

Просмотр полной версии : XSS Filter

PandoraBox
28.08.2008, 03:18
I started with this a month ago, and I made it into a little project for myself. I deleted a few blog items, as they we're getting too confusing. So this post talks about filtering out any malicious but keeping HTML in two steps. I'm still working on this project so I update it regularly. My goal is to make it as hard as possible to insert malicious code but still allow basic HTML and inline CSS.

JavaScript function to replace pieces of code.
function Strip(input) {
var text = input;
text = text.replace(/n/m,"<br />"); // new line to br

text = text.replace(/r/m,"<br />"); // return to br
text = text.replace(/<?/gi, " "); // php
text = text.replace(/?>/gi, " "); // php
text = text.replace(/<?php/gi, " "); // php
text = text.replace(/<%/gi, " "); // asp
text = text.replace(/%>/gi, " "); // asp
text = text.replace(/%00/m," "); // null removal
text = text.replace(/\00/m," "); // unicode removal
text = text.replace(/&#/g," "); // &# removal (# allowed for inline CSS)
text = text.replace(/&lt/gi," "); // &lt removal
text = text.replace(/('/," "); // (' removal
text = text.replace(/')/," "); // ') removal
text = text.replace(/(/*)/," "); // comments script obfuscation
text = text.replace(/![CDATA/gi," "); // script obfuscation
text = text.replace(/javascript/gi," "); // script instance
text = text.replace(/<script>/gi," "); // script instance
text = text.replace(/</script>/gi," "); // script instance

text = text.replace(/<script/gim," "); // script instance
text = text.replace(/on(.*)B[(.*)="]/gi," "); // Event handlers
text = text.replace(/on(.*)B[(.*)=(.*)]/gi," "); // Event handlers
text = text.replace(/eval((.*))/gi, " "); // Eval stuff
text = text.replace(/fromCharCode/gi, " "); // fromCharCode
text = text.replace(/getElementBy(.*)/gi, " "); // getElementBy
text = text.replace(/!--/gi, " "); // SSI
text = text.replace(/<!/gi, " "); // html
text = text.replace(/<meta/gi, " "); // html
text = text.replace(/<base/gi, " "); // html
text = text.replace(/<style/gi, " "); // html
text = text.replace(/<ilayer/gi, " "); // html
text = text.replace(/<iframe/gi, " "); // html
text = text.replace(/<frame/gi, " "); // html
text = text.replace(/<embed/gi, " "); // html
text = text.replace(/<link/gi, " "); // html
text = text.replace(/<import/gi, " "); // html
text = text.replace(/(vbscript(.*)b[(*):]|data(.*)b[(*):]|base64(.*)b[(*):]|expression(.*)b[(*):]|urn(.*)b[(*):])/gi," ");
text = text.replace(/(binding(.*)b[(*):]|moz-binding(.*)b[(*):]|behavior(.*)b[(*):])/gi," ");
text = text.replace(/(window|document|style).(location|cookie|images|fr ames)/gi," ");
document.getElementById('output').innerHTML = text;
}
.htaccess blocking URI XSS & SQL injection.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (javascript:).*(;).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchm ark|or|and|if).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteRule (,|;|<|>|'|`) /log.php [NC]
logging URI attacks: log.php<?php
$r= $_SERVER['REQUEST_URI'];
$q= $_SERVER['QUERY_STRING'];
$i= $_SERVER['REMOTE_ADDR'];
$u= $_SERVER['HTTP_USER_AGENT'];
$mess = $r . ' | ' . $q . ' | ' . $i . ' | ' .$u;
mail("admin@site.com","bad request",$mess,"from:bot@site.com");
echo "Ugly!";
?>
[Raz0r]
29.08.2008, 16:09
Here is a good tool by Gareth Heyes called Hackvertor: _http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
It is designed to test web apps using various vectors including XSS, SQL, Fuzzing and a lot of others. You can generate the vectors and post the data to your script, so you ll check if it is possible to bypass your filters