[WEB SECURITY] attribute based XSS

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

I've been trying to get involved in a discussion about "attribute
based cross-site-scripting" on Jeremiah's blog, but for some reason
convincing blogger to let me post a decent XSS example has been kind
of tricky.

Here's Jeremiah's original post:

http://jeremiahgrossman.blogspot.com/2007/07/attribute-based-cross-site-scripting.html

The point I tried (and completely failed) to make on the blog is that
using HTML entities as an anti-XSS measure does not work if the
attacker controlled data lands in an HTML attribute that the browser
interprets as a URI.

For example, consider an application that puts attacker controlled
data in an href tag:

<a href="ATTACKERCONTROLLED">blah</a>

The attacker could achieve XSS with this by creating code like this:

<a href="javascript:alert('xss')">blah</a>

The normal anti-XSS measure of entity encoding does not work to stop
the XSS.  For example, firefox 2.0.0.5 (and probably other browsers,
I'm too lazy to check right now) will execute the javascript even if
every single character is HTML entity encoded:

<a href="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#120;&#115;&#115;&#39;&#41;">foo</a>

I think a more appropriate mitigation here is URI encoding, but that
has to be done carefully to avoid changing the semantics of any good
URIs you're trying to embed.

(BTW, I claim no novelty in this, I picked up this vector from
http://ha.ckers.org/xss.html.  I'm not sure who sent it to RSnake
originally.)

Cheers,
Brian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]