Please take our Survey
logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Re: whitelisting XSS/HTML-injection defense: msg#00005

apache.mod-security.user

Subject: Re: whitelisting XSS/HTML-injection defense

Rude Yak wrote:
I've read the portion of the doc that covers XSS, i.e.

<Location /cms/article-update.php>
SecFilterInheritance Off
# other filters here ...
SecFilterSelective "ARGS|!ARG_body" "<.+>"
</Location>

What I would like to know is if anyone has gotten more sophisticated with XSS
defense and tried to whitelist certain tags. I'm trying to set up a policy
that will allow a few harmless tags (let's say, for argument's sake, that <B>
and <PRE> are considered harmless) but not others. This has proven to be quite
a challenge. So far, I've come up with:

SecFilterSelective "ARGS|!ARG_blog-text" "<.+>" id:1501
SecFilterSelective "ARG_blog-text" "<" chain,id:1502
SecFilterSelective "ARG_blog-text" "!<([Bb]|[Pp][Rr][Ee])([ >])" id:1503
SecFilterForceByteRange 9 126

But this (needless to say) doesn't work because a QUERY_STRING that has

blog-text=Abc+def+<B>

will still find the "Abc+def" matching <([Bb]|[Pp][Rr][Ee])([ >]) and be
blocked by the filter. Has anyone come up with a clever way to whitelist input
this way? I'm going to keep trying but I'm feeling close-to-stumped right now
:-)

Brave attempt but I don't think it is possible to reliably whitelist
HTML tags using regular expressions only. In this case I think custom
programming is the way to go. This is something I want to add to a
future ModSecurity release: create a hook to allow custom code to
be plugged-in to verify the incoming data.

--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: 1.9b4 SecFilterRemove question, Ivan Ristic
Next by Date:  [ANNOUNCE] ModSecurity 1.9RC1 has been released, Ivan Ristic
Previous by Thread:  whitelisting XSS/HTML-injection defense, Rude Yak
Next by Thread:  Fedora, Mod-Security, PID issues, Frank
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
hardware.arm.at...    cms.citadel.dev...    video.gstreamer...    java.facelets.u...    misc.basics.qna...    web.wiki.instik...    network.uip.use...    xdg.devel/2003-...    tex.bibtex.bibd...    finance.quotesp...    ietf.zeroconf/2...    redhat.blinux.g...    suse.db2/2003-0...    php.phpesp/2004...    uml.devel/2003-...    gnome.labyrinth...    qnx.openqnx.dev...    boot-loaders.gr...    db.dataperfect....    audio.audacity....    linux.uclinux.m...    editors.j.devel...    os.openbsd.tech...    kde.users.multi...   
Home | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation