Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Could anyone tell me why / how this XSS vector works in the browser?

Tags:

security

xss

I have suffered a number of XSS attacks against my site. The following HTML fragment is the XSS vector that has been injected by the attacker:

<a href="mailto:">
<a href=\"http://www.google.com onmouseover=alert(/hacked/); \" target=\"_blank\">
<img src="http://www.google.com onmouseover=alert(/hacked/);" alt="" /> </a></a>

It looks like script shouldn't execute, but using IE9's development tool, I was able to see that the browser translates the HTML to the following:

<a href="mailto:"/>
<a onmouseover="alert(/hacked/);" href="\"http://www.google.com" target="\"_blank\"" \?="">
</a/>

After some testing, it turns out that the \" makes the "onmouseover" attribute "live", but i don't know why. Does anyone know why this vector succeeds?

like image 390
opps Avatar asked Sep 15 '11 11:09

opps

People also ask

How does a XSS work?

How does XSS work? Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.

Why does an attacker use an XSS attack?

XSS enables an attacker to execute malicious scripts in another user's browser. However, instead of attacking the victim directly, the attacker exploits a vulnerability in a website the victim visits and gets the website to deliver the malicious script.

What is XSS attack with example?

Examples of reflected cross-site scripting attacks include when an attacker stores malicious script in the data sent from a website's search or contact form. A typical example of reflected cross-site scripting is a search form, where visitors sends their search query to the server, and only they see the result.

What does cross-site scripting XSS exploit in a web application?

In a Cross-site Scripting attack (XSS), the attacker uses your vulnerable web page to deliver malicious JavaScript to your user. The user's browser executes this malicious JavaScript on the user's computer. Note that about one in three websites is vulnerable to Cross-site scripting.

1 Answers

So to summarize the comments: Sticking a character in front of the quote, turns the quote into a part of the attribute value instead of marking the beginning and end of the value. This works just as well:

href=a"http://www.google.com onmouseover=alert(/hacked/); \"

HTML allows quoteless attributes, so it becomes two attributes with the given values.

like image 73
Erlend Avatar answered Oct 07 '22 09:10

Erlend
Sign in to Comment

Related questions

csrf protection
How in Django/Python can I ensure safety from WYSIWYG-entered HTML?
Website script injection scan [closed]
sanitizing/escaping output from drupal's arg(x) necessary?
XSS scripting for Search textbox
Alternative to define in-line javascript expressions
Display links as <a> tags but don't allow other tags?
overriding GetSecurityId in IInternetSecurityManager
Copy html content from iframe into div ( ajax )?
Why isn't ValidateRequest="true" enough for XSS prevention?
Is there a good Javascript based HTML parsing library available?
How to prevent XSS in attributes
Javascript: Detect/Prevent External Scripts
TinyMCE, AntiXSS, MVC3 and GetSafeHtmlFragment
Use PHP to prevent XSS attacks within an image
LocalStorage and Xss
Is this code vulnerable to XSS attacks?
prevent xss attack via url( PHP)
What does =_= mean in JavaScript or HTML?
Online JSONP converter/wrapper

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!