xss bypassing angle brackets and double quotes escaping

security xss
22,148

(Un)fortunately it appears that XSS won't be possible in this instance.

If angle brackets and double quote characters are escaped, this is enough to prevent XSS in HTML body and double quoted entity value contexts.

Technically under the XSS Experimental Minimal Encoding Rules for HTML body, the & character should be encoded too, but I can't see a way here to use that to the attacker's advantage either in the HTML body or within the entity value.

The only exception to this is if the character set was specified as UTF-7 (or as the attacker you could change it to such) then you could use the following attack:

INPUTNAME = +ADw-script+AD4-myfunc()+ADw-/script+AD4-

this would be rendered as

<h2>Profile of <script>myfunc()</script></h2><p>INPUT2</p><a href="http://example.com">Homepage</a>
Share:
22,148
ccczhang
Author by

ccczhang

Updated on July 09, 2022

Comments

  • ccczhang
    ccczhang almost 2 years

    Say I want to maliciously call a function which is already defined, myfunc().

    How could I achieve xss attack bypassing double quote and angle brackets escaping?

    <h2>Profile of INPUTNAME</h2><p>INPUT2</p><a href="INPUTURL">Homepage</a>

    (The upper case fields are user inputs) How could I call myfunc() without adding the script tags around it?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Client Cross Frame Scripting Attack resolution
Hacking training simulator
Preventing XSS in ASP.Net Webforms: why is Validate Request not enough?
Alternative to using c:out to prevent XSS
How to perform output encoding using filter to prevent XSS?
Simple CSRF protection using nginx alone
Javascript XSS Prevention
Sanitizing HTML input value
Why is Cloudfront loading scripts in my web app? (I don't use it)
Is it possible for a XSS attack to obtain HttpOnly cookies?