Comp527 Final Project Weekly Report (Nov. 18, 2013)
Detection & Sanitization of XSS
Jun Zheng (jz33) Chao Zhang (cz15)
Rice University
Overview
For now, out group focus on analyzing the Django MVC framework[1], building view and HTML test case to observe behaviors of Django XSS sanitization, which makes html tags disabled.
Sanitization Target
1. Random string from view or programmer:
These inputs are always trusted by server, so Django XSS sanitization will not do any escaping step.
Example:
In view.py, we write a string contains script and return it back to HTTP, then run the Django server, a alert box will show up in the browser.
2. Random string from user:
It seems that these inputs will never be trusted by server, all the inputs come from users are treated as dangerous scripts or something.
Example:
In html file, we submit a form to server and wait the returned query string. Next, in view.py, we add a function serverTest to handle the request and output the query. Then run the server, text some script like “<script>alert(‘hi’)</script>”, the sanitization mechanism
will escaping the input to “%3Cscript%3Ealert%28%27hi%27%29%3C%2Fscript%3E”.
Escaping Dictionary
Below is the escaping list after some test.
before escaping : after escaping
‘~’ : ‘%7E’+’ v’,
‘`’ : ‘%60’,
‘!’ : ‘%21’,
‘@’ : ‘%40’,
‘#’ : ‘%23’,
‘$’ : ‘%24’,
‘%’ : ‘%25’,
‘^’ : ‘%5E’,
‘&’ : ‘%26’,
‘*’ : ‘ u’,
‘(‘ : ‘%28’,
‘)’ : ‘%29’,
‘_’ : ‘ u’,
‘-‘ : ‘ u’,
‘+’ : ‘%2B’,
‘=’ : ‘%3D’,
‘{‘ : ‘%7B’,
‘[‘ : ‘%5B’,
‘}’ : ‘%7D’,
‘]’ : ‘%5D’,
‘|’ : ‘%7C’,
‘\\’ : ‘%5C’,
‘:’ : ‘%3A’,
‘;’ : ‘%3B’,
‘”‘ : ‘%22’+’ v’,
‘\” : ‘%27’,
‘<‘ : ‘%3C’+’ v’,
‘,’ : ‘%2C’,
‘>’ : ‘%3E’+’ v’,
‘.’ : ‘ u’,
‘?’ : ‘%3F’,
‘/’ : ‘%2F’,
‘ ‘ : ‘+’,
Further Work
Next step, we will continue looking at whether there is any XSS situation that Django Sanitization is missing, and how could Django protect tags like <b>.
Reference:
[1] http://owasp-esapi-python-swingset.appspot.com/xss/no_escaping