Anti-XSS AJAX Scanner Code in Ruby
For those interested in scanners Shreeraj Shah posted a working ruby script for scanning for entry points in AJAX. It’s brief code, but it has a good point. There are obvious injection points in the code, that make for clear entry points to execution. I don’t know how well this deals with real life scenarios, like obfuscation or JavaScript that outputs JavaScript but the code is in his whitepaper.
I thought of similar ideas back when I was doing PERL auditing - looking for attack points by anything that used common libraries and commands that were often vulnerable to lack of input sanitation. The idea is sound - not bulletproof by any means, but in lots of cases it does tend to give favorable results. This said the man who shirks all scanners… but no, I think I give scanners a hard time because they aren’t bullet proof. Sometimes I think getting 80% of the issues still has value. Maybe it’s not bullet proof but maybe it will allow you to dodge said bullet.
February 15th, 2007 at 9:36 pm
It’s ironic, random, and slightly off-topic, but I truly do hate the whole Web 2.0 concept other than being able to post a comment every now and then on an open forum. I always prefered hardcoded HTML pages before everything became modifiable, and interactive for all users. There was less room for error in those days though pages weren’t quite as exciting (not that they are too enthralling at this point either).
February 16th, 2007 at 2:42 am
Perl has the -T command line switch - the taint mode. It will give you a warning for each incoming string you didn’t check. Rarely used but potentially very useful for eliminating XSS holes.
February 16th, 2007 at 9:29 am
The taint flag is good for pointing out places that you need to filter, but it says nothing about the filter you use. For instance:
my $var = s/bob/sally/;
Will bypass taint’s warnings.