"Obscure" <obscureat_private> wrote: > In fact UBB now filters keywords such as javascript and cookie. > To circumvent this filtering, I made use of html encoding techniques. This demonstrates the extreme weakness of the filtering approach. Filtering known-bad constructs usually fails. Including a parser that allows only known-good markup fares better, but is hard. I have not tested the latest updates, but here are some more approaches to script injection that were allowed through on a UBB forum I frequent: <body onload="alert()"> <link rel="stylesheet" href="javascript:alert()"> <p style="width: expression(alert())"> (works on IE thanks to dynamic properties, executes immediately.) <img src="vbscript:alert"> (javascript: is not the only potentially harmful kind of URL) <a href="about:<script>alert()"> (another one for IE) <a href=&{location='stealcookie.cgi?'};> (one for Netscape 4, so it doesn't feel left out.) All the above can be made to steal cookies - filtering the string "document.cookie" does no good whatsoever since one can just as well do "document['coo'+'kie']". I'm sure there are many more holes I missed. Ever since Netscape's idiotic invention of 'javascript:' URLs, browser manufacturers have been adding more and more stupid ways to embed scripting content in HTML. This makes it practically impossible to write a forum that allows markup without including a proper HTML parser with very restrictive rules. This doesn't just affect forum systems, but any web site that allows the user to input markup. Look at all the Hotmail holes we've had, for example. Add user-markup features to your web sites with extreme caution! -- Andrew Clover mailto:andat_private http://and.doxdesk.com/
This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 14:01:50 PST