August 4, 2011 - 21:43 UTC - Tags: xss
Recently we see frameworks altering behaviour in order to mitigate XSS. Ruby on Rails 3, Play Framework and ASP.NET MVC 3 all do HTML escaping by default for the standard output (<%=SomeVariable %>, ${SomeVariable} and @SomeVariable). While I applaude the frameworks for taking this step (and this is certainly a step in the right direction), you should be aware that this will not automatically block all XSS attacks. Here are some examples.
Example 1
<button onmouseover="showToolTip('View details for [user supplied data here]')">
In this example the escaping will escape for HTML, but not for Javascript. So even though ' is escaped with ', an attacker will still be able to jump out of the javascript string and run arbitrary javascript code. This will popup the appended alert:
<button onmouseover="showToolTip('View details for ');alert('XSS')">
and is equivalent to:
<button onmouseover="showToolTip('View details for ');alert('XSS')">
Example 2
<input type=text value=[user supplied data here]>
Skipping quotes on attributes is certainly not recommended, but it is allowed. So something like this might work:
<input type=text value=x onfocus=alert(xss) autofocus>
Example 3
<script>
var a=[user supplied data here]
</script>
This one is trivial. Do not add user supplied content outside of javascript quotes.
<script>
var a=alert(String.fromCharCode(88,83,83))
</script>
In the last snippet I'm using a trick from
RSnake's XSS Cheat Sheet to build a string without using double or single quotes (which will normally be escaped by the HTML escaping).
Example 4
<script>
var a='[user supplied data here]'
</script>
This one should work in play, as
play does not seem to escape single quotes:
<script>
var a='';alert('xss');//'
</script>
And for the same reason, this one is trivial to exploit:
<img alt='[user supplied data here]' ...>
The OWASP XSS Prevention Cheat Sheet
These are just some examples. For information on how to properly escape for different contexts, see the
OWASP XSS Prevention Cheat Sheet.