4

I have a webpage that blindly removes < and > as hardcoded rule. I know XSS doesn't always need < and > since it is not needed in HTML attribute and javascript contexts.

But is it possible to carry out XSS in HTML context without < and >? I saw it is possible in UTF-7(IE) where they can be replaced by other characters to make a valid HTML construct. Is it possible to do in any other way?

Or is it true that for HTML contexts just stripping < and > is sufficient since without them everything is treated as plaintext?

curiousguy
  • 5,068
  • 3
  • 26
  • 27
random1145
  • 41
  • 2
  • If it's getting reflected at the top of the page then it might be vulnerable to bom injection : https://security.stackexchange.com/a/180718/110133 – Xavier59 Nov 21 '19 at 22:22
  • What about hex values with an & where you can encode the characters with it? – Cyberduck Nov 25 '19 at 10:28
  • OWASP suggests you escape < > ' " & / in HTML context, but I've never understood the reason. It seems to me that just escaping < would actually be enough in practice. Maybe they are generalizing the advice for XML, but I'm still not sure why all those characters actually need to be escaped. – reed Apr 19 '20 at 16:39
  • @reed. In certain contexts in HTML, you need to escape ' or " (inside attributes). And you should always escape &. And it's simpler to say to always escape those characters, rather than depend on context. So that explains <, ', ", and &. As for / and >, I'm not sure, but if you have malformed HTML (say an attribute missing its closing quotation mark), they could cause harm, and it's probably easy enough to escape them anyway. – TRiG Jun 15 '23 at 09:22

1 Answers1

-1

Generally I would not suggest to strip the tags from an input. This won't work sometimes and it would still be possible to generate a valid XSS attack like in your example. If you want to sanitize your input try using something like htmlspecialchars. This converts all your characters into HTML entities. So they are safe to display. If you want to allow HTML tags on your site I would suggest to use a html purifier so you can allow all tags you want. (Whitelist approach)

Regarding your question: This would generate a valid XSS on your site without the three mentioned elements:

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E

This type of attack is called double encoding if you want to search for it. If you want more information about XSS try using the cheatsheat from OWASP or Github.

Conor Mancone
  • 31,265
  • 13
  • 94
  • 100
Cyberduck
  • 644
  • 4
  • 18
  • 3
    A double encoding attack will only work if the application in question is vulnerable to it (which not all are, and most probably aren't). As a result while that is certainly something to suggest, I think it's a bit unreasonable to assert that your proposed payload would generate an XSS. – Conor Mancone Nov 21 '19 at 15:34
  • @ConorMancone 's comment makes sense & it is not open to double encoding. Any other way? Or is stripping < & > character is enough? – random1145 Nov 22 '19 at 05:55