Cenzic 232 Patent
Paid Advertising
web application security lab

Blocking Alert

I’m always amazed at people who think that blocking alert() is actually an effective way to block cross site scripting. I’ve seen it myself, and it’s one of those things that never sounded right even the first time I saw it years ago. It sounds even less right, and here’s an email from a friend of mine, Jon McClintock:

I just got a nice XSS “win” that I thought I’d share with you. The app had an odd filter that would block JS calls to the alert() method.

So this (invalid JS) input got in:

";alert"xss";

But this didn’t:

";alert("xss");

The usual whitespace and comment tricks didn’t work either, and other useful methods, such as eval, were also blocked. So what do you do? Function pointer, of course:

";var foo=alert;foo("xss");

That’s a great example - pointing to functions, but what about things like confirm(), or prompt()? Sure, maybe all those are blocked too, but come on…. it’s time to start addressing the problem, rather than trying to block one of the hundreds of ways someone can initiate the attack. Anyway, great example!

5 Responses to “Blocking Alert”

  1. Jeremiah Blatz Says:

    alert? confirm? prompt? Blocking those is like blackholing traffic from your pen testers. Sure, maybe you don’t get a finding in your report, but the bad guys still get to do whatever they want. Bad guys don’t use alert(), they send off secret information to their Chinese servers, or just perform their fraudulent transactions. Blocking alert is only slightly less useless than blocking the string “xss” (which happens).

  2. John Ther Says:

    In real world why would a real attacker use alert() anyway :) that’s just stupid. What are you gonna do show a big alert message to your victim?

  3. MikeA Says:

    Alert? I dont get it - what is the point in blocking alert? Sure, it can be anoying in having popups, but it’s not exactly anything dangerous. The *only* time I’ve ever seen alert use is for *test* XSS - all of the actual exploits either rewrite the page, grab cookies, send requests, etc, etc. Leave alert alone - that’s not where the issue is.

    What this really shows is a complete misunderstanding of the issue - someone obviously saw alert(…) being used in lots of XSS examples and used that as his “signature” for bad behavior. It’s no different that using ‘ or 1=1 — for your signature to stop SQL Injection (and yes, I’ve seen that as well!)

    Stories like these really go to show how far we still have to go :(

  4. Kyran Says:

    MikeA: In the defense of the uninformed, it’s BECAUSE people use it in testing for XSS, not because alert is really malicious in any way and needs to be stopped.

    But we do still have a long way to go.

  5. Gregory Fleischer Says:

    @John Ther, @MikeA - actually, yes, you do just show a great big alert to your victim. The bigger the better ;) [1]

    But seriously, blocking alert is just silly. You’re better off approaching the situation as a detection scenario. If you can catch an attacker during the reconnaissance phase, you may be able to remedy the vulnerability before widespread exploitation begins.

    And not to call anybody out, but for those who recommend strike back techniques against XSS, that may work the first time. Then it’s back to shell accounts and Perl scripts for the attacker where alert doesn’t count for anything. All that cleverness just looks like drama. Commoditizing anti-XSS based on pattern matching only works as long you are smarter than the next young upstart. And for all the young upstarts out there, have at it.

    [1] http://www.mozilla.org/security/announce/2007/mfsa2007-39.html