Re: Why is "oN%3d" so dangerous?

From: Mike Kozlowski (mlk_at_klio.org)
Date: 10/01/04


Date: Fri, 1 Oct 2004 19:19:18 +0000 (UTC)

In article <uexrmD9pEHA.3896@TK2MSFTNGP15.phx.gbl>,
Nicole Calinoiu <ngcalinoiu REMOVETHIS AT gmail DOT com> wrote:

>If you're curious as to the exact details of why it fails validation, grab a
>copy of Reflector and take a look at the
>System.Web.CrossSiteScriptingValidation class. The entry point for query
>string validation is the IsDangerousString method.

For easy reference for some future person looking at this thread
because they're having the same problem, the XSS validator blocks any
string matching (in effect) the following regexes:

script\s*=
[^a-zA-Z]on[a-zA-Z]*\s*=
expression
&#
<[a-zA-Z!]

The last two are impossible with Base64 encoding (which only allows
letters, digits, +, /, and =), the first two are impossible if you
just do UrlEncode twice in a row (to prevent equal signs from
occuring), and the third is vanishingly unlikely in random characters,
but if you're concerned about it, you can just replace all "x"
characters with "," after the Base64 encoding.

-- 
Mike Kozlowski
http://www.klio.org/mlk/