One of the most common things I hear people say when they are writing perl programs is to remember to use the taint flag. I’ve always been one of those guys who knows enough not to leave strings un-cleansed and I never really saw the value in it. Firstly, it doesn’t tell you if something is vulnerable or not, it simply tells you that you are using it before making sure it’s clean. That in of itself may be of some use to some people, but I think it gives you a false sense of hope in a lot of ways. For instance, let’s take this snippet of code:

$var =~ s/"/"/;
$var =~ s/</&lt;/;
$var =~ s/>/&gt;/;

That would seem, at first blush to stop three characters (the open and close angle brackets and the double quote) from appearing in $var. Alas, it is missing one obvious thing that would have protected it. It is missing the “g” at the end of each of the pattern matches that would have globally changed the string. It’s a silly thing to forget, given that it’s clearly designed to stop XSS. And what is it vulnerable to? Let’s look at how it is outputted:

print '<INPUT TYPE="TEXT" value="', $var, '">';

So what it is vulnerable to is double the strings:

"">><<script>alert("XSS")</script>

Turns into:

<INPUT TYPE="TEXT" value="&quot;"&gt;>&lt;<script>alert("XSS")</script>">

Pretty silly vector but it works like a charm. But who would be stupid enough to mess up something this simple? Yup, you guessed it, me! That’s what I get for using old scripts written in 1995, written long before XSS was really understood and before I knew much about programming. Thank you to zeroknock for finding the issue and letting me know. See? Everyone makes mistakes!

This entry was posted on Friday, March 16th, 2007 at 8:50 am and is filed under XSS, Webappsec. You can leave a response as well.