Defeating input filters for injection

Especially malicious input in URLs will look suspicious to someonewho has heard of these attacks, or at least to a security scanner. So an attacker will try to hide suspicious parts from the victim or the security scanner. For a human being thiscan be as easy as displaying a tidy link as an image, but in fact the image is linked to a malicious URL. Or the malicious part can be hidden in a very long URL where it does notstrike. When it comes to automatic scanners, the attacker has to use different technologies. If the web applications filter does not remove all HTML tags fromthe input data, but uses a blacklist filter, the attacker might use the following alternatives to the <script> tag, which work in most web browsers:

 

• <<script> (if the scanner filters <script> and does comparison of the string inside the first matching bracket pairs)
• <scrscriptipt> (bypasses scanners that remove the word script)
• <script/src=… (bypasses scanners that look for <script> or <script xsrc=…)
• <script a=">" " xsrc=… (bypass a scanner which allows <script>, but not <script xsrc=…)
• or put a line feed after each character (works in Internet Explorer 6.0)

There are many more possibilities, and you have to take other tags into account, suchas <img>, <table>, <a>, or event handlers (on…). More examples are found at http://ha.ckers.org/xss.

Another very effective way to hide angle brackets or other characters from a security scanner is to use a different character encoding that the web browser might be able to process,but the web application might not. There are a lot of possibilities to encode characters, but of course the browser has to be set to read the document in the encoding. If the encoding is set to Auto-Select in Internet Explorer andthere is an UTF-7 or -8 encoded string in the first 4096 bytes, it will automatically treat the document as UTF-7 or -8.

 

If the user has set this option and/or the web application does not send a default character encoding, as it is the case with Railsapplications by default, cryptic UTF-8 encoded strings like the following will pop up a message box, if injected.

 

 

And if the user has set his browser to UTF-7 encoding, injecting the following will pop up a message box. Note that it does not include any angle brackets, so it might bypassfilters that look for them.