Re: Why is "oN%3d" so dangerous?
From: Mike Kozlowski (mlk_at_klio.org)
Date: 10/01/04
- Next message: mangia: "Re: Access is denied. / HTTP 500 - Internal server error"
- Previous message: Anabela Silva: "Re: Access is denied. / HTTP 500 - Internal server error"
- In reply to: Nicole Calinoiu: "Re: Why is "oN%3d" so dangerous?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 1 Oct 2004 19:19:18 +0000 (UTC)
In article <uexrmD9pEHA.3896@TK2MSFTNGP15.phx.gbl>,
Nicole Calinoiu <ngcalinoiu REMOVETHIS AT gmail DOT com> wrote:
>If you're curious as to the exact details of why it fails validation, grab a
>copy of Reflector and take a look at the
>System.Web.CrossSiteScriptingValidation class. The entry point for query
>string validation is the IsDangerousString method.
For easy reference for some future person looking at this thread
because they're having the same problem, the XSS validator blocks any
string matching (in effect) the following regexes:
script\s*=
[^a-zA-Z]on[a-zA-Z]*\s*=
expression
&#
<[a-zA-Z!]
The last two are impossible with Base64 encoding (which only allows
letters, digits, +, /, and =), the first two are impossible if you
just do UrlEncode twice in a row (to prevent equal signs from
occuring), and the third is vanishingly unlikely in random characters,
but if you're concerned about it, you can just replace all "x"
characters with "," after the Base64 encoding.
-- Mike Kozlowski http://www.klio.org/mlk/
- Next message: mangia: "Re: Access is denied. / HTTP 500 - Internal server error"
- Previous message: Anabela Silva: "Re: Access is denied. / HTTP 500 - Internal server error"
- In reply to: Nicole Calinoiu: "Re: Why is "oN%3d" so dangerous?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
