While the need for input filtering is important, the need for good
input filtering is even more important. Evading input filters is about as easy as evading
IDS signatures in the 1990s??”it??™s amazingly simple. While many sites have joined the
input filtering bandwagon years ago, good input filtering or even positive filtering has
not been the norm.
For example, for a given test string for XSS, such as , several variants could be used to evade input filtering measure.
The following examples show a few subversion methods, including Base64 encoding,
HEX, and decimal:
??? Base64 PHNjcmlwdD4=
??? HEX <script>
??? Decimal <script>
Is the web application performing input filtering on all these values? Probably;
however, what about the web browser? If an attacker posted a script onto a web page
that is then converted to ASCII by the browser automatically, is that a security issue of
the web application or a security issue of the browser? As we will discuss later on in the
Samy worm discussion, a lot of browser leniencies make character conversation a tough
thing to defend against.
Pages:
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205