-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS string that gets past jsoup #673
Comments
Can you provide a fuller example please? I.e. sample code using cleaner, and the input and output html strings. |
Sure, here is the full request that was injected into our site. GET /Application/jsp/ordering/linePopup.jsp?selectedLine=0%20%73%54%79%4c%65%3d%58%3a%65%58%2f%2a%2a%2f%70%52%65%53%73%49%6f%4e%28%61%6c%65%72%74%28%36%36%31%35%35%29%29&reservationId= The encoded data is appended to the selectedLine=0 parameter. We are using the ESAPI encoder latest version and the latest version of jsoup and the snippet below is basically all we are doing in our servlet filter to stop XSS attacks. for(String attack : attacks) {
The string passes through and we get a XSS style vector in our application response like so... I don't think it is really serious as all the browsers I have tried it with validate the style settings and reject it but maybe some older IE version don't do that? |
I still don't understand what you think the attack is. What's the HTML? Whitelist.none just gives you plain text. What browser is going to do anything with just plain |
Thanks for contacting me. We use your excellent Jsoup package to sanitize input fields. We got dinged by our penetrations testers as this wretched string got Cross-Site Scripting vulnerability found in Get parameter selectedLine. sTyLe=X:eX/**/pReSsIoN(alert(66155)) Cross-Site Scripting vulnerabilities were verified as executing code on the Cross-Site Scripting: Reflected ( 5649 ) View Description Response: HTTP/1.1 200 OK As you can see in the response, the value=0 gets passed back with the Is there any way Jsoup can recognize this as an XSS attack, or should we regards, Francis. On Thu, May 5, 2016 at 11:01 PM, Jonathan Hedley notifications@github.com
|
OK, I'm trying to understand your flow. You're building a HTML page with a form and the value is set by an input parameter (selectedLine)? And currently you are using jsoup's Whitelist.none to sanitize that input? And then you're just putting that output directly into the HTML value? If I've understood from your description, that's not the right approach and not what the Whitelist is intended for. The Whitelist / Cleaner is about safely sanitizing HTML for direct presentation in the body. Not in a form field. You don't need the cleaner, you just need to HTML escape the input data when building the HTML. Either create an Element and set the attribute then use the html() method to serialize it, or (my preference) use a HTML templating library like Freemarker and escape the user provided data correctly. |
Not quite, We were using jsoup to sanitize all input that we get from the browser and It's just that last one, which is a real crafty piece of obfuscated partial I won't waste your valuable time with this any more if you think that this regards, Francis. import org.owasp.esapi.reference.DefaultEncoder; class attacks { static String[] attacks = "regular"style="behavior:url(#default#time2)"onbegin="alert(document.cookie)"", "';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";" "alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--" "#108ert('XSS')>",
|
Thanks - closing, as described not the right way to use the HTML Cleaner. Just escape the content before putting it into a value. |
Hi,
This url encoded string
"0%20%73%54%79%4c%65%3d%58%3a%65%58%2f%2a%2a%2f%70%52%65%53%73%49%6f%4e%28%61%6c%65%72%74%28%36%36%31%35%35%29%29"
does not get caught by the Jsoup/clean after it has been canonicalized. The result is this XSS attack
"0 sTyLe=X:eX/**/pReSsIoN(alert(66155))"
I'd love to fix it, but don't have a clue where to start.
The text was updated successfully, but these errors were encountered: