Welcome! » Log In » Create A New Profile

Detecting XSS

Posted by Lode Michels 
Lode Michels
Detecting XSS
July 03, 2007 05:09AM

Hi Ambush Commander,

Really enjoying your lib!

I was wondering though. It uses a white list as opposed a blacklist, which sounds like the logical approach to me.

To be honest I code a lot of php myself but I've not taken/made the time (yet) to read all the code... Which your probably more familiar with anyways :-]

I can understand that detection and filtering are 2 completely different processes.

But would it actually be possible to detect an XSS attack and even better return its value for evaluation to the webmaster (in this case me).

This would be very useful to act against people attempting to issue XSS attacks against a website and for instance delete their account and/or maybe try to issue a ban...

I

Re: Detecting XSS
July 03, 2007 08:26AM

I've had XSS detection come up as a request previously, and it is on the roadmap. However, it's difficult to say what exactly is XSS, besides a few commonly known strings like javascript:, onload:, etc. A lot of research is necessary in this respect, and if you'd like to help out I'd be more than happy to use your suggestions.

Furthermore for people who are complaining about speed issues I dont really understand. This is a very extensive lib. If used properly on html input for storage in a file / database youll only need it for the input. So I dont really see the problem?! The benefits are really great and that takes some additional milliseconds.

Thank you for this defense. I also detail two methods to speed up web applications in this document

Lode Michels
Re: Detecting XSS
July 04, 2007 04:01PM

I can imagine it's very difficult to determine whether or not something is actually XSS or let

Re: Detecting XSS
July 05, 2007 08:26AM

I can imagine it's very difficult to determine whether or not something is actually XSS or lets say malicious, especially since there is no blacklist.

A whitelist (as mentioned before) still seems to me like a much more logical approach for validation. But I feel this makes it harder to do the reverse and detect illegal things. But still youre the expert here :-]

How would you attempt to detect XSS and others?

Implement a parallel running blacklist. If things get caught by the blacklist, we raise flags.

- Try to determine suspicious input and make an option to return this information via a function call. __toString would have been nice maybe in this case. As Im sure some people wont even bother checking this because the input is clean and thats all that counts for them.

Because the true interface of HTML Purifier is through an object, it would be trivial to add HTMLPurifier->getSuspicion() in the main API.

- This info can be stored in a database / file or send via mail for review by the webmaster. It seems to me that such a process can never done automatically with 100% accuracy. Therefore the final decision should be made by someone who cares and knows.

This is up to the application designer to implement

We have a little news/discussion topic on your lib on one off probably the Netherlands biggest php forums here: http://www.phpfreakz.nl/forum.php?forum=16&iid=1019794

Im not expecting you to understand our language but Ill tell you its all good and should add to your fame.

That looks pretty cool. I can't understand Dutch, but maybe some of you guys know English (I know you do).

Sure Im willing to help. But what can I do? It will take a long time to get tucked in to this let's pretty extensive lib!

Rolling out an experimental feature will not be difficult. However, the XSS blacklist library will take a bit of time to flesh out and fine tune.

(Private) comment: What is with the public e-mail addresses? Have you written a nice bot blocking class as well ? ^.^ Its not that I really care or worry about spam since Im using hotmail account. But its kinda easy to fake a name this way Dont you agree?

I'm not happy with the way Phorum, by default, publishes the emails of anonymous users (I'll need to find a mod that changes this behavior). If you wish, I can scrub your email from the above posts. To hide your email, you'll have to register an account.

Sorry, you do not have permission to post/reply in this forum.