Cross Site Scripting 
Author Message
 Cross Site Scripting

In general I use the news groups a lot to get ideas on code etc and my
rule is If I'm looking for some new bit of code and I don't find it
(this is not to say my searches are perfect) then If I end up writing
it I try to always post it back to the groups. I went on a hunt
recently trying to track down a function that would prevent cross site
scripting (XSS) but still allow me to maintain safe html code in
posted data. The page that follows is what I came up with. (I know it
can probably be condensed it in to fewer lines of code with an array
and a for loop) It basically looks for certain keywords and replaces
them with a random variation of the word. As far as my research and
testing goes it seems to be pretty solid. It retains safe HTML data
but prevents any potentially malicious data from being posted back to
the site. The two VBScript functions can be easily converted to
Javascript too. Keep in mind that this is designed to prevent XSS from
"posted" data onlythis does not address issues with the querystring.
Hope someone find this useful. (And if you have something betterpost
it!)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<%

Function ValidateInput(TestString)

        MyGuid = left(createobject("scriptlet.typelib").guid,38)

        'dump the dashes and braces
        MyGuid = Replace(MyGuid,"-","")
        MyGuid = Replace(MyGuid,"{","")
        MyGuid = Replace(MyGuid,"}","")

        ' get all the potentially evil tag sets and re-write them
        ' with a random tag
        TestString = Replace(TestString,"vbscript:",RandomNum("vbscript:"))
        TestString = Replace(TestString,"javascript:",RandomNum("javascript:"))
        TestString = Replace(TestString,"<script",RandomNum("<script"))
        TestString = Replace(TestString,"</script>",RandomNum("</script>"))
        TestString = Replace(TestString,"<" & "%","<" & MyGuid)
        TestString = Replace(TestString,"%" & ">",(MyGuid & ">"))
        TestString = Replace(TestString,"<object",RandomNum("<object"))
        TestString = Replace(TestString,"</object>",RandomNum("</object>"))
        TestString = Replace(TestString,"<applet",RandomNum("<applet"))
        TestString = Replace(TestString,"</applet>",RandomNum("</applet>"))
        TestString = Replace(TestString,"<embed",RandomNum("<embed"))
        TestString = Replace(TestString,"</embed>",RandomNum("</embed>"))
        TestString = Replace(TestString,"<form",RandomNum("<form"))
        TestString = Replace(TestString,"</form>",RandomNum("</form>"))
        TestString = Replace(TestString,"<xml",RandomNum("<xml"))
        TestString = Replace(TestString,"</xml>",RandomNum("</xml>"))
        TestString = Replace(TestString,"<![CDATA",RandomNum("<![CDATA"))
        TestString = Replace(TestString,"<![CDATA",RandomNum("<![CDATA"))
        TestString = Replace(TestString,"<iframe",RandomNum("<iframe"))
        TestString = Replace(TestString,"</iframe>",RandomNum("</iframe>"))

        'grab all of the single "event" words and change them
        TestString = Replace(TestString,"OnLoad",RandomNum("OnLoad"))
        TestString = Replace(TestString,"OnUnload",RandomNum("OnUnload"))
        TestString = Replace(TestString,"onSubmit",RandomNum("onSubmit"))
        TestString = Replace(TestString,"onreset",RandomNum("onreset"))
        TestString = Replace(TestString,"onClick",RandomNum("onClick"))
        TestString = Replace(TestString,"onDblClick",RandomNum("onDblClick"))
        TestString = Replace(TestString,"onMouseDown",RandomNum("onMouseDown"))
        TestString = Replace(TestString,"onMouseUp",RandomNum("onMouseUp"))
        TestString = Replace(TestString,"onFocus",RandomNum("onFocus"))    
        TestString = Replace(TestString,"onBlur",RandomNum("onBlur"))
        TestString = Replace(TestString,"onSelect",RandomNum("onSelect"))
        TestString = Replace(TestString,"onChange",RandomNum("onChange"))
        TestString = Replace(TestString,"onMouseOver",RandomNum("onMouseOver"))
        TestString = Replace(TestString,"onMouseMove",RandomNum("onMouseMove"))
        TestString = Replace(TestString,"onMouseOut",RandomNum("onMouseOut"))
        TestString = Replace(TestString,"onKeyPress",RandomNum("onKeyPress"))
        TestString = Replace(TestString,"onKeyUp",RandomNum("onKeyUp"))

        'replace potentially harmful meta tags
        TestString = Replace(TestString,"http-equiv=",RandomNum("http-equiv="))

        ValidateInput = TestString

        Set o = Nothing
End Function

Function RandomNum(MyString)
        High = Len(MyString)
        Low = 2

        Randomize

        MyRand = Int((High - Low + 1) * Rnd) + Low
        MyGuid = left(createobject("scriptlet.typelib").guid,38)

        'dump the dashes and braces
        MyGuid = Replace(MyGuid,"-","")
        MyGuid = Replace(MyGuid,"{","")
        MyGuid = Replace(MyGuid,"}","")

        StringStart = Mid(MyString,1,MyRand)
        StringEnd = Mid(MyString,(MyRand + 1))

        MyNewString = StringStart & MyGuid & StringEnd

        RandomNum = MyNewString

End Function

MyEvilVar =  "<a href=""javascript:alert('me');"">clickme</a><br>" &
VbCrLf
MyEvilVar = MyEvilVar & "<a href=""www.yahoo.com"">Yahoo</a><br>" &
VbCrLf
MyEvilVar = MyEvilVar & "<form action=""test.asp"" method=""post""
name=""test"" id=""test"" onSubmit=""d"" onreset=""d"" onClick=""d""
onDblClick=""d"" onMouseDown=""d"" onMouseUp=""d"">" & VbCrLf
MyEvilVar = MyEvilVar & "<input type=""text"" name=""test1""
id=""test1"" value=""testing"" >" & VbCrLf
MyEvilVar = MyEvilVar & "      <br><select name=""test2"" id=""test2""
onFocus=""d"" onBlur=""d"" onChange=""d"">" & VbCrLf
MyEvilVar = MyEvilVar & "              <option value=""1"" SELECTED>1</option>" &
VbCrLf
MyEvilVar = MyEvilVar & "              <option value=""2"">2</option>" & VbCrLf
MyEvilVar = MyEvilVar & "              <option value=""3"">3</option>" & VbCrLf
MyEvilVar = MyEvilVar & "              <option value=""4"">4</option>" & VbCrLf
MyEvilVar = MyEvilVar & "              <option value=""5"">5</option>" & VbCrLf
MyEvilVar = MyEvilVar & "</select>" & VbCrLf
MyEvilVar = MyEvilVar & "</form>" & VbCrLf
 %>
<html>
<head>
        <title>XSS Test</title>
        <META http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
</head>

<body>

<% If Request.ServerVariables("REQUEST_METHOD") = "POST" Then
        MyTest = Request.Form("Test")
        Response.Write(ValidateInput(MyTest))
End If %>

<form action="xss.asp" method="post" name="test" id="test">
<textarea cols="40" rows="20" name="test" id="test"><%= MyEvilVar
%></textarea>
<br>
<input type="submit" name="submit" id="submit" value="submit">
</form>

</body>
</html>

Here are some other useful links:
http://www.*-*-*.com/
http://www.*-*-*.com/
http://www.*-*-*.com/ ;en-us;Q252985&sd=tech



Sat, 03 Dec 2005 23:17:34 GMT  
 
 [ 1 post ] 

 Relevant Pages 

1. FYI - New Web Site Security Issue - Cross Site Scripting Vulnerability

2. FYI - New Web Site Security Issue - Cross Site Scripting Vulnerability

3. FYI - New Web Site Security Issue - Cross Site Scripting Vulnerability

4. Cross site scripting

5. cross-frame, cross-domain script access denial

6. How to reset password on all DCs cross sites

7. Cross-browser compatibility site

8. Southern Cross Visual Basic Code and Links - Site Update

9. Southern Cross Visual Basic Code and Links - Site Update

10. Southern Cross Visual Basic Code and Links - Site Update

11. Southern Cross Visual Basic Code and Links - Site Update

12. cross-frame/cross-domain text selection

 

 
Powered by phpBB® Forum Software