This is for my readers who are, or who manage, web application programmers. I sent this update to my security assessment clients about a month ago but the urgency has continued to increase as attack rates are rising …
I’ve been seeing a lot more injection attacks on industry sites – some automated, some manual. If you have web applications and haven’t been testing for SQL and XSS injections – get on that PRONTO!
Even if you think your input validation is under control be careful – attackers are getting a LOT sneakier:
- Using HTML entities instead of the characters, encodings like UTF-8, long UTF-8, UTF-7, Unicode, US-ASCII and even HEX. Watch out for ‘declare’ and ‘cast’ in inputs … not your friend.
- Not using special characters – leaving off the single quotes, using ‘fromCharCode’ to create them, or even use a grave accents as a replacement.
- Messing up regular expressions looking for SCRIPT by embedding tabs, spaces, carriage returns – or encoded versions of the same!
- Sending you naughty content not just through traditional inputs and URL strings, but through cookie manipulation.
- Leveraging your platform – such as SSI (if installed), renaming JS files to image extensions for upload, even using your application platform to create the script.
- Injecting into image tags – including dynsrc and lowsrc attributes, in BODY onloads, in CSS calls, in titles, meta tags, iframes, TD backgrounds, DIV styles, BASE tags, OBJECT tags, XML, Flash Actionscript and more!
I think my “favorite” workaround for XSS validation is where the validator gets rid of script tags in inputs but doesn’t search recursively, so the hacker inputs [SCR[SCRIPT]IPT]” it gets rid of the middle “[SCRIPT]”, leaving…. [SCRIPT]!
And they’re using every combination of the above that you can think of!!!
Are you validating for all of these situations?
Be careful out there!
Share this post: