August 4, 2011 - 21:43 UTC - Tags: xss
Recently we see frameworks altering behaviour in order to mitigate XSS. Ruby on Rails 3, Play Framework and ASP.NET MVC 3 all do HTML escaping by default for the standard output (<%=SomeVariable %>, ${SomeVariable} and @SomeVariable). While I applaude the frameworks for taking this step (and this is certainly a step in the right direction), you should be aware that this will not automatically block all XSS attacks. Here are some examples.
Comments closed for this post
Example 1
<button onmouseover="showToolTip('View details for [user supplied data here]')">In this example the escaping will escape for HTML, but not for Javascript. So even though ' is escaped with ', an attacker will still be able to jump out of the javascript string and run arbitrary javascript code. This will popup the appended alert:<button onmouseover="showToolTip('View details for ');alert('XSS')">and is equivalent to:<button onmouseover="showToolTip('View details for ');alert('XSS')">Example 2
<input type=text value=[user supplied data here]>Skipping quotes on attributes is certainly not recommended, but it is allowed. So something like this might work:<input type=text value=x onfocus=alert(xss) autofocus>Example 3
<script>
var a=[user supplied data here]
</script>This one is trivial. Do not add user supplied content outside of javascript quotes.<script>
var a=alert(String.fromCharCode(88,83,83))
</script>In the last snippet I'm using a trick from RSnake's XSS Cheat Sheet to build a string without using double or single quotes (which will normally be escaped by the HTML escaping).Example 4
<script>
var a='[user supplied data here]'
</script>This one should work in play, as play does not seem to escape single quotes:<script>
var a='';alert('xss');//'
</script>And for the same reason, this one is trivial to exploit:<img alt='[user supplied data here]' ...>The OWASP XSS Prevention Cheat Sheet
These are just some examples. For information on how to properly escape for different contexts, see the OWASP XSS Prevention Cheat Sheet.
About Erlend
Security guy with some thoughts on secure development.
Tag cloud
Categories
Blogroll
