[Esapi-user] JavaScript encoding

Jim Manico jim.manico at owasp.org
Wed Aug 18 04:17:43 EDT 2010


Well,

Once you call eval or window.setTimeout with any untrusted data - it's game xss over no matter how you encode. The arguments to those functions are the same as userdata between script tags.

-Jim Manico
http://manico.net

On Aug 18, 2010, at 12:57 AM, gaz Heyes <gazheyes at gmail.com> wrote:

> What's the output look like? Then you also have to account for entities too (depending on the context):-
> <a href=# onclick="setTimeout('&#92;141lert(1)')">test</a>
> 
> On 18 August 2010 07:30, Jim Manico <jim.manico at owasp.org> wrote:
> Hello folks,
> 
>  
> 
> I’ve been trying to get my head wrapped around DOM based XSS and JavaScript encoding in a way that is easy to communicate to a mass audience. Abe Kang has been kind enough to talk me though these issues.
> 
>  
> 
> In my opinion, our JavaScript encoder ESAPI.encoder().encodeForJavaScript(taint) needs more explanation/documentation, and the ESAPI for JS project needs to be integrated in the XSS Cheatsheet more. Abe thinks there are at least 5 new XSS Cheatsheet rules specific to DOM XSS – and we will be working on it over the next few weeks. I love this stuff – the rabbit hole never ends. J
> 
>  
> 
> So for starters, we edited rule #3 of the XSS Cheatsheet to briefly discuss illegal JavaScript contexts:
> 
>  
> 
> http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_HTML_JavaScript_Data_Values
> 
>  
> 
> The long and short of it is – there are some JavaScript contexts that can NEVER handle user data – even if JavaScript encoded!
> 
>  
> 
> Try this little chunk of JSP out… Run this in Chrome, so you can kill the never ending popup easily….
> 
>  
> 
> <script>
> 
> window.setInterval('<%= ESAPI.encoder().encodeForJavaScript("alert('I XSS you Beef');") %>');
> 
> </script>
> 
>  
> 
> Are we on the right track?
> 
>  
> 
> Cheers All,
> 
> Jim
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100818/4b5f1aaa/attachment.html 


More information about the Esapi-user mailing list