Attribute-based Cross Site Scripting (XSS): When Encoding Double Quote " is Not Enough

Analysis: Attribute Based XSS

It works when an attacker injects an XSS payloads at the following point ($__$):

<input type="text" name="search" value="$__$" />

Typical payload is  "><script>alert('XSS')</script> which results in:

<input type="text" name="search" value=""><script>alert('XSS')</script>" />

Armed with this information, security-aware programmers have begun to encode the double quote character (") as &quot; or %22. This results in:

<input type="text" name="search" value="%22><script>alert('XSS')</script>" />

And XSS fails.

However, they neglect to encode the single quote character ('). For the above example, whether single quote is encoded or not, XSS will not be triggered.

See the follow example .

<input type="text" name="search" value="Keyword" onclick="this.value='$___$' " />

XSS works when an attacker injects the following XSS:

<input type="text" name="search" value="Keyword" onclick="this.value='xss';alert('XSS');x='' " />

Lesson Learnt:

Encoding only double quote proves to be an incomplete protection against the attribute-based XSS.
The following characters must be encoded.

  1. White-Space characters (Tab /Line Feed /Carriage Return /Space )

    This protects XSS for input tag without double or single quote.

    <input type=text name=search value=$___$ >
  2. '
  3. "
  4. <
  5. >
  6. /



Popular posts from this blog

XSS: Gaining access to HttpOnly Cookie in 2012

Jumping out of Touch Screen Kiosks