Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
HTMLAttributeEncode vs. HTMLEncode
Posted by: oneflewup
Date: December 13, 2006 12:42AM

I took a look at what the .net Framework offers as part of HTMLEncoding and interestingly out of box there are two main methods one can use. One is the HTMLEncode which seems to do all kinds of stuff and than I found: HTTPUtility.HtmlAttributeEncode which according to msdn says:
http://msdn2.microsoft.com/en-us/library/wdek0zbf.aspx

Remarks

The HtmlAttributeEncode method converts only quotation marks ("), ampersands (&), and left angle brackets (<) to equivalent character entities. It is considerably faster than the HtmlEncode method.

The string result from the HtmlAttributeEncode method should be used only for double-quoted attributes. Security issues might arise when using the HtmlAttributeEncode method with single-quoted attributes.


Interesting... I was thinkig if there are other possibilities to break out of an "" quoted attribute. Is just encoding " & and <> enough?


Thanks,
OneFlewUp

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: maluc
Date: December 13, 2006 02:01AM

for the most part, just encoding " is enough to prevent breaking out of a "" quoted attribute. The only other methods i know of (that have been discovered anyway, who knows about the future), is variable width encoding issues, and other encoding issues like US-ASCII/UTF-7. If the charset is ISO-8859-* and you can't change it .. you're likely out of luck.

From a developer perspective, it's an adequate filter in most places against XSS - and speed boosts are always nice. From an attackers perspective, i'd just move on to other inputs of the site.. bound to be a hole somewhere. And it won't secure alot of XSS injections into javascript, nor prevent SQL injecting, nor any DOM-based XSS i don't think. so be careful where you use it.

-maluc

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: jungsonn
Date: December 13, 2006 05:53AM

Yeah, but i've been messing around in PHP
to force the http header to be UTF-8.

header('Content-Type: text/html; charset=utf-8');

That works great,
cause you really can't rely on the meta content-type
if you don't know what to expect serversided.

A few php functions to fix input:

$var = htmlspecialchars($var, ENT_COMPAT, 'UTF-8');
$var = iconv("UTF-8", "UTF-8", $var)
$var = iconv("ISO-8859-1","UTF-8",$var);

Alas, there is a problem with the functions in PHP itself,
many are not very consistent and drop sometimes.
So, it's not full proof yet.

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: rsnake
Date: December 13, 2006 10:14AM

I thought what was interesting is that Stefan Esser retired from the PHP incident response team. Not to start a religious war on the boards, but it's interesting that the founder of PHP's security response team is fed up with the lack of security in PHP and quit as a result. His site is down at the moment (traffic flood?): http://blog.php-security.org/ So here is a cut and paste of the cache:


Saturday, December 9. 2006


Last night I finally retired from the PHP Security Response Team, that was initially my idea a few years ago.


The reasons for this are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin.


For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories. It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP.

Posted by Stefan Esser in PHP, Security at 10:58



Well, scary as that sounds, I am really excited to finally get the "real deal" on PHP security. I've always been a little wary of it and it will be interesting to see what Stefan has to say.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: jungsonn
Date: December 13, 2006 10:42AM

Pretty scary indeed,
I really like to know on which subjects/parts he advises/criticises PHP etc.

Anyone more info on this one?

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: rsnake
Date: December 13, 2006 11:16AM

Not yet, and his site is still down. I have a feeling we'll find out very quickly. But if anyone talks to him sooner, please post what he says. I'd be very curious to hear the details.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Date: December 13, 2006 10:37PM

Jungsonn, you probably want to append //IGNORE to the second parameter in your iconv calls: this prevents the string from disappearing if there is even one bad character (which could happen, considering the potpourri of character encodings and spotty browser support we have). If you need a pure PHP implementation because iconv is not installed, may I interest you with this source code: http://hp.jpsband.org/svnroot/htmlpurifier/trunk/library/HTMLPurifier/Encoder.php specifically the cleanUTF8() function.

As for Stefan Esser, I didn't see much response from the PHP community: only one follow-up blog post (with no comments). We will see, we will see.

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: jungsonn
Date: December 14, 2006 12:28PM

Nice goodie Ambush, thanks!

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: rsnake
Date: December 14, 2006 06:08PM

Well I emailed him and although he didn't go into it, Stefan did write this:

Quote

I did not retire from PHP. I retired from the PHP Security Response Team. Mostly because it is not doing its job properly and people choose to ignore my advice. So there is actually no point in beeing a member anymore. I can do the same from the outside. And by removing myself from the Security Team I am no longer "responsible".

Stefan

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: andy
Date: May 15, 2007 03:32PM

hi,
i was wondering if someone could highlight the drawback/hack around HtmlAttributeEncode (since it encodes only '<' and '"'),is there some way to use ' (single quote) to escape and cause XSS, example(s) would be real helpful.

thanks.

oneflewup Wrote:
-------------------------------------------------------
> I took a look at what the .net Framework offers as
> part of HTMLEncoding and interestingly out of box
> there are two main methods one can use. One is the
> HTMLEncode which seems to do all kinds of stuff
> and than I found: HTTPUtility.HtmlAttributeEncode
> which according to msdn says:
> http://msdn2.microsoft.com/en-us/library/wdek0zbf.
> aspx
>
> Remarks
>
> The HtmlAttributeEncode method converts only
> quotation marks ("), ampersands (&), and left
> angle brackets (<) to equivalent character
> entities. It is considerably faster than the
> HtmlEncode method.
>
> The string result from the HtmlAttributeEncode
> method should be used only for double-quoted
> attributes. Security issues might arise when using
> the HtmlAttributeEncode method with single-quoted
> attributes.
>
>
> Interesting... I was thinkig if there are other
> possibilities to break out of an "" quoted
> attribute. Is just encoding " & and <> enough?
>
>
> Thanks,
> OneFlewUp

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: Mephisto
Date: May 15, 2007 05:06PM

It's possible to escape out of the attribute using a single quote, if the developer used single quotes to enclose the attribute values.

Example:

<input type='text' value=''>

I you entered '>< script>alert(1)< /script><' you could possibly escape the attribute and the tag.

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: andy
Date: May 16, 2007 01:08AM

Mephisto Wrote:
-------------------------------------------------------
> It's possible to escape out of the attribute using
> a single quote, if the developer used single
> quotes to enclose the attribute values.
>
> Example:
>
>
>
> I you entered '>< script>alert(1)< /script><' you
> could possibly escape the attribute and the tag.

Thanks Mephisto, so the input to the HtmlAttributeEncode is
'>< script>alert(1)< /script><' ??
but then the "<" is encoded and the script won't execute.

i'm not an expert, so if i'm missing something really obvious please
point it out :)

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: Mephisto
Date: May 16, 2007 03:29PM

Sorry, I wasn't addressing the (<, ") encoding in my response. If the application is doing HTML Encoding (converting < or %3c to &lt;) then your pretty much out of luck.

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: hasse
Date: May 16, 2007 04:47PM

Mephisto Wrote:
-------------------------------------------------------
> Sorry, I wasn't addressing the (<, ") encoding in
> my response. If the application is doing HTML
> Encoding (converting < or %3c to &lt;) then your
> pretty much out of luck.

Unless you can create the XSS inside the tag.

Options: ReplyQuote
Re: HTMLAttributeEncode vs. HTMLEncode
Posted by: Mephisto
Date: May 16, 2007 05:25PM

In the case of .NET (which I'm most familiar with) certain controls implement attribute encoding as well so attempting to XSS a style attribute for example wouldn't work.

Options: ReplyQuote


Sorry, only registered users may post in this forum.