The
following is a JavaScript security flaw:
<script>
var
str = "</script><script>alert('Pwned');</script>";
</script>
The
browser ignores the fact that the<script> tags
are inside a
JavaScript String, invoking the alert()function.
The
reason for this odd behavior is that the page gets
rendered in various stages.
First the HTML is parsed, and a render tree created.
Only then, is the
JavaScript actually executed. In the example above,
the render tree see the <script> tags,
and is oblivious
to the fact that they’re inside a string; it has no
concept of JavaScript. It
strips these out, and evaluates the script nodes as
usual with our injected
message.
This
behavior would be little more than a curiosity, were
it not for the common
pattern of injecting JSON into documents, say with
ERB.
<script>
var
users = <%= @users.to_json.html_safe %>;
</script>
If
you
have the line above anywhere in your code, and @users includes
some user
submitted data, your application is vulnerable to a
XSS attack.
[SM-D01-R01]
If
you’re using Rails, thwart this vulnerability by
settingActiveSupport.escape_html_entities_in_json to true.
The default isfalse.
|
|
|
A
JavaScript Security Flaw •
Alex MacCaw
The
following is a JavaScript
security flaw:
<script> var str =
|
|
|
|
Nathalie
Coupet