Thefollowing is a JavaScript security flaw:<script> var str = "</script><script>alert('Pwned');</script>"; </script> Thebrowser ignores the fact that the<script> tags are inside aJavaScript String, invoking the alert()function.Thereason for this odd behavior is that the page gets rendered in various stages.First the HTML is parsed, and a render tree created. Only then, is theJavaScript actually executed. In the example above, the render tree see the <script> tags, and is obliviousto the fact that they’re inside a string; it has no concept of JavaScript. Itstrips these out, and evaluates the script nodes as usual with our injectedmessage.Thisbehavior would be little more than a curiosity, were it not for the commonpattern of injecting JSON into documents, say with ERB.<script> var users = <%= @users.to_json.html_safe %>; </script> If youhave the line above anywhere in your code, and @users includes some usersubmitted data, your application is vulnerable to a XSS attack.[SM-D01-R01] Ifyou’re using Rails, thwart this vulnerability by settingActiveSupport.escape_html_entities_in_json to true. The default isfalse. A JavaScript Security Flaw • Alex MacCaw | | | | | | | | | | | A JavaScript Security Flaw • Alex MacCaw The following is a JavaScript security flaw: <script> var str = | | | | Nathalie Coupet
Clearly this is a lot of work, Nathalie, for which many thanks. I don't quite understand what this document has to do with the RDS exercise though, would you mind explaining the link? Kind regards, Stephanie Perrin On 2016-06-08 17:39, nathalie coupet via gnso-rds-pdp-wg wrote:
The following is a JavaScript security flaw: <script> varstr = "</script><script>alert('Pwned');</script>"; </script> The browser ignores the fact that the<script> tags are inside a JavaScript String, invoking the alert()function. The reason for this odd behavior is that the page gets rendered in various stages. First the HTML is parsed, and a render tree created. Only then, is the JavaScript actually executed. In the example above, the render tree see the <script> tags, and is oblivious to the fact that they’re inside a string; it has no concept of JavaScript. It strips these out, and evaluates the script nodes as usual with our injected message. This behavior would be little more than a curiosity, were it not for the common pattern of injecting JSON into documents, say with ERB. <script> varusers = <%= @users.to_json.html_safe %>; </script> If you have the line above anywhere in your code, and @users includes some user submitted data, your application is vulnerable to a XSS attack. *[SM-D01-R01] *If you’re using Rails, thwart this vulnerability by settingActiveSupport.escape_html_entities_in_json to true. The default isfalse. A JavaScript Security Flaw • Alex MacCaw <https://blog.alexmaccaw.com/a-javascript-security-flaw>
A JavaScript Security Flaw • Alex MacCaw
The following is a JavaScript security flaw: <script> var str =
<https://blog.alexmaccaw.com/a-javascript-security-flaw>
Nathalie Coupet
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
participants (2)
-
nathalie coupet -
Stephanie Perrin