mod-security-users

[mod-security-users] whitelisting XSS/HTML-injection defense

[Rude Y. <ru...@ya...>]

I've read the portion of the doc that covers XSS, i.e.

<Location /cms/article-update.php>
SecFilterInheritance Off
# other filters here ...
SecFilterSelective "ARGS|!ARG_body" "<.+>"
</Location>

What I would like to know is if anyone has gotten more sophisticated with XSS
defense and tried to whitelist certain tags.  I'm trying to set up a policy
that will allow a few harmless tags (let's say, for argument's sake, that <B>
and <PRE> are considered harmless) but not others.  This has proven to be quite
a challenge.  So far, I've come up with:

SecFilterSelective "ARGS|!ARG_blog-text" "<.+>" id:1501
SecFilterSelective "ARG_blog-text" "<" chain,id:1502
SecFilterSelective "ARG_blog-text" "!<([Bb]|[Pp][Rr][Ee])([ >])" id:1503
SecFilterForceByteRange 9 126

But this (needless to say) doesn't work because a QUERY_STRING that has

blog-text=Abc+def+<B>

will still find the "Abc+def" matching <([Bb]|[Pp][Rr][Ee])([ >]) and be
blocked by the filter.  Has anyone come up with a clever way to whitelist input
this way?  I'm going to keep trying but I'm feeling close-to-stumped right now
:-)

Erick.


		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

Re: [mod-security-users] whitelisting XSS/HTML-injection defense

[Ivan R. <iv...@we...>]

Rude Yak wrote:
> I've read the portion of the doc that covers XSS, i.e.
> 
> <Location /cms/article-update.php>
> SecFilterInheritance Off
> # other filters here ...
> SecFilterSelective "ARGS|!ARG_body" "<.+>"
> </Location>
> 
> What I would like to know is if anyone has gotten more sophisticated with XSS
> defense and tried to whitelist certain tags.  I'm trying to set up a policy
> that will allow a few harmless tags (let's say, for argument's sake, that <B>
> and <PRE> are considered harmless) but not others.  This has proven to be quite
> a challenge.  So far, I've come up with:
> 
> SecFilterSelective "ARGS|!ARG_blog-text" "<.+>" id:1501
> SecFilterSelective "ARG_blog-text" "<" chain,id:1502
> SecFilterSelective "ARG_blog-text" "!<([Bb]|[Pp][Rr][Ee])([ >])" id:1503
> SecFilterForceByteRange 9 126
> 
> But this (needless to say) doesn't work because a QUERY_STRING that has
> 
> blog-text=Abc+def+<B>
> 
> will still find the "Abc+def" matching <([Bb]|[Pp][Rr][Ee])([ >]) and be
> blocked by the filter.  Has anyone come up with a clever way to whitelist input
> this way?  I'm going to keep trying but I'm feeling close-to-stumped right now
> :-)

   Brave attempt but I don't think it is possible to reliably whitelist
   HTML tags using regular expressions only. In this case I think custom
   programming is the way to go. This is something I want to add to a
   future ModSecurity release: create a hook to allow custom code to
   be plugged-in to verify the incoming data.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org