Bad Words as security counter measure

Posted: Wed Mar 03, 2004 3:22 pm

Has anyone considered using bad word filters as a backup security counter measure?

I've been playing with a few like:
javascript
onload
onmouseout
onmouseover

Of course the more words the more overhead generated but it seems to work slick when the word filter is universal on a the site.

Better yet could we build a list here?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

How does this affect blocks that use javascript?

Posted: Wed Mar 03, 2004 11:00 pm

I haven't tried inside a portal that generates blocks. I applied this only to form fields in a script I'm hacking away on. Registration, Edit Registration so on and so on.

I'm using:
$value=textFilter(kses(MY_stripslashes($value) , $applied);

textFilter = bad words filter
KSES = http://sourceforge.net/projects/kses
MY_stripslashes = checks if if get_magic_quotes_gpc = 1 for KSES

I filter from database with KSES and some places with strip_tags (remove font color ect.. for search results ect... to keep them uniform. I was considering removing the word filter or expanding it when it occured to me that it was fairly lean and mean as it is and could be useful instead of borderline useless bloat.

Using it this way almost amounts to dynamic string replacement for novices ect... who don't want to go hunting through files for 20 instances of a string in 5 different files.

The one I'm using is simple just add words and it replaces the word with a single * no mask or replacement word. (Lean and Mean). Replacement words would work as well just not as fast.

Worker Joined: Feb 18, 2004 Posts: 244

I like anything that adds security. Smile

If were already stripping tags that we don't like in a function with something like kses(), why would we need to strip the word itself?

Are you thinking about Internet Explorers pesky habit of fixing malformed tags for us?

If a filter mistakes it for a safe string because the tag is purposfully typo'ed in the hopes that IE will fix it on the other end....

(I read an exploit that makes use of this somewhere last week.)

If kses() is missing them then it would seem we need to edit kses() to catch em.

If we strip these words:

Quote:

javascript
onload
onmouseout
onmouseover

Then we can't use them anymore in our legitimate input. Like if these functions were to be used to strip input for a forum, or input from a tutorial, or as I'm doing, an online course.

I couldent have a course about html tags if even the innerds were not allowed.

Hmm, I dunno...

Darrell

Posted: Thu Mar 04, 2004 3:53 pm

No I don't have a problem with kses catching the tags. But say if I allowed one to accomplish something good. Then someone came along and saw that I allowed
<img with alt and decided to try adding some obscured onmouseover to the alt field (Not 100% sure this is a realistic example but sounds like something IE might do). Or some other out there example like that.

The example of an html course is exactly why I was thinking of an outside list of suggestions. Suggestions could be opted out of hard coding can't. In my use there is no reason to allow the string mouse over at all.

Ravens example of javascript in blocks I think they should be left as before so any including of java would have to be coded into a actual block-myblock.php file.

Posted: Thu Mar 04, 2004 4:34 pm

I agree about not allowing javascript in the dynamic blocks that are stored in the database. These blocks should be run through the validators, mainly because there can be more than one admin on a site.

There was just a question about html not being allowed in a block on nuke cops....

Third party, user created blocks can be prieviewed by the the admin before he installs them. So I would not expect them to be validated.

About the bad words filter, an array in the code seems like a good place to store words your worried about. Either your own to ensure future compatibablity, or piggyback off the existing one in nuke. Then the admin can edit the array for his specific needs.

Or if your really a glutton for punishment, a table of words in a database that the admin can edit from his control panel in your program. Smile

What are you developing?

It's kind of nice to have someone else working in the same areas as I am at the moment.

Darrell

Posted: Thu Mar 04, 2004 5:21 pm

I'm not really developing just tore zclassifeds down and am enhancing its stand alone version for personal use. Intention was to create a simple image hosting application for ebay ect...

I've pretty much just went back to the original app and updated it making it a safe place to start from.

From there changing from classifieds to simple image hosting should be a snap. I just didn't want to add my functions to a already unsafe out of date engine.

I've done that now for the real work.
Here is a pre security fix concept demo. I'll try and get it updated late this evening. It will look virtually the same but will be much safer to run.
http://www.auction.glowoptics.com

Silly waste of time really but I'm having fun.

Posted: Thu Mar 04, 2004 5:43 pm

Kewl,

There are always people looking for a place to remote-link images from...

Posted: Thu Mar 04, 2004 10:39 pm

Here is a list of evil words, strings and so on gleemed from the former cgi shield filter. (Don't know what happened to that project, anyone?

Much of this isn't relevent to specific servers but I wanted to start this out as an awareness thing more then anything. The strings are all valid but obviously we won't strip out every "<" or ">" just because its included in almost every exploit. But leaving it in the list might help to raise awareness that the smallest slip can lead to a site being defaced or worse.

Actually a lot of these especially the MS exploits and java ones can be shortened down so one word or string will kill several others too. Like onmouse will catch a lot or MSYS. would get a lot.

I'm not going to try and break this down right now but I thought I'd offer up a start aiming back at the original subject.

So here is this list:

Code:




(.*?)(\\\\*?)\$


\|


(select(.*?)from)


(delete(.*?)from)


(update(.*?)set(.*?)=)


(insert(.*?)into(.*?)values)


(drop(.*?)database)


(drop(.*?)table)


(mid\((.*?)\))


(char\((.*?)\))


(openrowset\((.*?)\))


(bulk(.*?)insert(.*?)from\((.*?)\))


(group(.*?)by(.*?)having)


(union(.*?)select)


(openquery\((.*?)\))


(exec(.*?)xp_execresultset)


(exec(.*?)xp_regread)


(exec(.*?)xp_regdeletevalue)


(exec(.*?)xp_regenumkeys)


(exec(.*?)xp_regenumvalues)


(exec(.*?)xp_regread)


(exec(.*?)xp_regremovemultistring)


(exec(.*?)xp_regwrite)


(exec(.*?)xp_availablemedia)


(exec(.*?)xp_dirtree)


(exec(.*?)xp_enumdsn)


(exec(.*?)xp_loginconfig)


(exec(.*?)xp_makecab)


(exec(.*?)xp_ntsec_enumdomains)


(exec(.*?)xp_cmdshell)


(exec(.*?)sp_oacreate)


(exec(.*?)sp_oamethod)


(onmouseover)


(src=(.*?))javascript


(dynsrc=(.*?))javascript


(href=(.*?))javascript


(src=(.*?))vbscript


(src=(.*?))mocha


(src=(.*?))livescript


(onload)


([\xC0][\xBC]script>)


(&lt;script>)


(<script)


CDATA


javascript:


text\/javascript


document.cookie


(&{)(.*?)}


&#([0-9]*?)


<div


SYS.USER_CATALOG


SYS.USER_TRIGGERS


SYS.USER_CONSTRAINTS


SYS.USER_TAB_COLUMNS


SYS.ALL_TABLES


SYS.USER_VIEWS


SYS.USER_TABLES


SYS.TAB


SYS.USER_OBJECTS


MSysRelationships


MSysQueries


MSysObjects


sp_OACreate


sp_OAMethod


sp_OAGetProperty


sp_addextendedproc


sp_password


sp_dropextendedproc


sp_makewebtask


dbo.sysobjects


dbo.syscolumns


dbo.sysdatabases


\\\\0


\|


\\n


\\x04


\~


\'


\"


#


--


\/\*


`


<


>


@


\)


\(


\.\.\/


(onmousemove)


(onfocus)


onblur


onclick


onkeydown


onkeypress


onkeyup


onerror


onabort


onchange


ondblclick


ondragDrop


onmousedown


onmouseout


onmouseup


onmove


onreset


onresize


onselect


onsubmit


<span


<meta


<embed


<bgsound

New Member Joined: Nov 20, 2003 Posts: 2

Here's an example of poor man's filter Smile

Code:




foreach ($_GET as $secvalue) {


   $secvalue = strtolower($secvalue);





   $jsevent =    (


      strpos($secvalue, "onload") !== false ||


      strpos($secvalue, "onclick") !== false ||


      strpos($secvalue, "ondblclick") !== false ||


      strpos($secvalue, "onkeydown") !== false ||


      strpos($secvalue, "onkeypress") !== false ||


      strpos($secvalue, "onkeyup") !== false ||


      strpos($secvalue, "onmousedown") !== false ||


      strpos($secvalue, "onmouseout") !== false ||


      strpos($secvalue, "onmouseup") !== false ||


      strpos($secvalue, "onmouseover") !== false ||


      strpos($secvalue, "onblur") !== false ||


      strpos($secvalue, "onfocus") !== false);





   $nuketable =    (


      strpos($secvalue, "nuke_users") !== false ||


      strpos($secvalue, "nuke_authors") !== false ||


      strpos($secvalue, "nuke_groups") !== false);





   if (


      (ereg("<[^>]*script*\"?[^>]*>", $secvalue)) ||


      (ereg("<[^>]*object*\"?[^>]*>", $secvalue)) ||


      (ereg("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||


      (ereg("<[^>]*applet*\"?[^>]*>", $secvalue)) ||


      (ereg("<[^>]*meta*\"?[^>]*>", $secvalue)) ||


      (ereg("<[^>]*style*\"?[^>]*>", $secvalue)) ||


      (ereg("<[^>]*form*\"?[^>]*>", $secvalue)) ||


      (ereg("<[^>]*img*\"?[^>]*>", $secvalue)) ||


      (ereg("\([^>]*\"?[^)]*\)", $secvalue)) ||


      (ereg("\"", $secvalue)) ||


      $jsevent ||


      $nuketable)


   {


      ban_em_all_let_god_sort_em_out($_SERVER['HTTP_CLIENT_IP']);


   }


}

Strpos() is much faster than regexp compiler.

Posted: Fri Mar 05, 2004 12:34 pm

I like it!
Your 15 steps ahead of the average nuker! wink* and faster then me Sad

Keep em coming...

In my defense I'm mostly filtering $_post method forms. So speeds not as detrimental as it sounds.

Posted: Fri Mar 05, 2004 3:58 pm

It was merely an example, you certainly don't want to have 100 strpos or regexp function calls.

Quote:

So speeds not as detrimental as it sounds.

You won't be saying that after someone pulls a DoS attack against your filter. I think the best way to do this job is to write a new PHP extension in C, perhaps there's one already?

Posted: Fri Mar 05, 2004 9:51 pm

Your right of course thats why I said I have only applied a few words mostly ones included in your js filter and only on post variables. I'm not in fear of DoS since users have to be logged on to post (reminds me a flood function is in order for me...

I think a reasonable list say 50 or less probably more like 25 words/expressions would be reasonable. Look how big the list is for "Bad Words" on the list John Abela's site something like 170 words now? Not that I'd run that full list either...

I don't do C (Heck I barely do html some days) so if you hear of something I'd sure be interested.