News, Press, & Events

XSS Evasion: Hiding in Plain Sight

Is there a holistic solution for ensuring the secure, fast, and reliable delivery of applications?

July 29, 2008 - Lori MacVittie, Technical Marketing Manager at F5 Networks

Today's Web users continue to demand more from their online experience. Accessibility and speed drive programmers and keep users happy -- but at what price? The ever-increasing interactive capabilities of the Web's most progressive sites ultimately put a user's security in jeopardy. These new programming channels, coupled with Web 2.0, leave user security susceptible to new XSS (Cross Site Scripting) threats.

Threat prevention systems of yesteryear such as UTM (Unified Threat Management), Web application firewalls, intrusion prevention systems, and intrusion detection systems are now vulnerable to XSS invasions. The previous method of plugging holes with content filtering and signature-based databases no longer sufficiently combats attackers' evasion techniques. XSS attacks are now two-pronged, not only attacking a target system but also attacking defensive systems protecting the targets. To counter them requires a system to first recognize an e-evasion attempt, and then identify invasion techniques. The latest attack attempts utilize HTML manipulation injection and encoding tags in different code sets or base systems to slide attacks through the filtering process.

The Vagaries of Language

It is often said that the English language is one of the most complex and confusing languages in existence. Homophones, such as "there" and "their" (not to mention "they're") constantly trip up even native speakers, and other eccentricities can cause great confusion and consternation among speakers and writers alike.

Although English is confusing, its complexity is nothing compared to some programmatic languages that take an extremely lax view toward formatting, such as HTML and JavaScript. While programmatic best practices tell developers that keywords shouldn't include comments or white space, the language itself does not prevent such constructs from being considered valid. In the attempt to ensure a smooth user experience and account for possible errors in coding, parsers, and rendering, engines have relaxed the rules and leave open myriad channels through which XSS attacks can be delivered.

Although systems and secure coding techniques exist that prevent traditional XSS attacks from successfully exploiting vulnerabilities across the application infrastructure, today's attackers have grown more sophisticated. Using the same attacks from yesterday, they have discovered how to embed and hide them from the filters and signature-based comparisons that have traditionally protected Web sites and applications.

White Space

Traditional filtering techniques capable of detecting XSS injection are generally based on regular expressions that expect specific formatting of HTML. This formatting includes white spaces, carriage returns, and tabs. An attacker can bypass these regular expressions filters simply by decreasing, increasing, or inserting extra white spaces. In this way, the attack -- though a well-known one -- does not match the expected pattern and the resulting malicious code is allowed to pass through and exploit the application.

White-space-based injection attacks work because the filters in threat-prevention systems do not cover all the possible cases, and HTML rendering engines ignore white space contained inside HTML tags.