Using HTML purifier demo to cleanse attack vectors

Talk about internet security, computer security, personal security, your social security number...
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Using HTML purifier demo to cleanse attack vectors

Post by luntrus »

Hi forum friends,

Code you want to be beyond suspicion, I assume, or at least ye want to detect it to recognize it better next time around,
so feed the script at hand into the online demo form and then launch the "malicious code removed module".
I tested it with various XSS attack scripts and it worked flawlessly. I got for an output:
<img src="javascript:evil();" onload="evil();" />
Input example for you all:
http://htmlpurifier.org/demo.php?filter[AutoFormat.AutoParagraph]=0&filter[AutoFormat.DisplayLinkURI]=0&filter[AutoFormat.Linkify]=0&filter[AutoFormat.PurifierLinkify.DocURL]=%23%25s&filter[AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions]=td%0D%0Ath&filter[AutoFormat.RemoveEmpty.RemoveNbsp]=0&filter[AutoFormat.RemoveEmpty]=0&filter[AutoFormat.RemoveSpansWithoutAttributes]=0&filter[Null_CSS.AllowedProperties]=1&filter[Core.CollectErrors]=0&filter[Null_HTML.Allowed]=1&filter[Null_HTML.Doctype]=1&filter[HTML.TidyLevel]=medium&filter[URI.DisableExternalResources]=0&filter[Null_URI.Munge]=1&html=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22ISO-8859-1%22%3F%3E%3C!DOCTYPE+foo+[%3C!ELEMENT+foo+ANY%3E%3C!ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fdev%2Frandom%22%3E]%3E%3Cfoo%3E%26xee%3B%3C%2Ffoo%3E%0D%0A&submit=Submit&experimental=1

Enjoy my good forum friends, and learn while doing the exercise.
Some more code example material can be taken from here: http://attackvectors.com/code/XSS.txt

luntrus

P.S. So please keep your NS visors up, it detects XSS attempts, really it does...

Damian
Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.16) Gecko/2010021011 Firefox/3.0.16 Flock/2.5.6
Post Reply