Twitter misidentifying context

This is an important post for me, not because it’s ground breaking but people don’t seem to get this when using data in certain context. If you are a dev please read this and read it until you understand it because if you misidentify context you fail and you fail pretty badly.

I reported this to twitter about two months ago, they responded and fixed four xss holes but two remain and they didn’t contact me to test the fix.

When you are including user input inside a javascript event within a string what do you have to escape? If you answered: ‘”<>\
You are wrong. Twitter is wrong.

Take the following example:-

<a href=# onclick="x= 'USERINPUT' ">test</a>

So you can place your input within the single quotes and there is a place on twitter that does this:-
twitterTheseResults(‘ \&quot;\’xss’,'/search?q=&a…

Here they are escaping &quot; with \&quot; and ‘ with \’. But that isn’t enough! Why? Because it’s a javascript onclick event! Inside an event you have to escape entities! All of them!

Consider the following vector:-
&apos;,alert(1),&apos;

No single quotes but &apos; still acts as one. Please look at this test and make sure you understand how it works:-
http://tinyurl.com/xssyoda

Don’t forget other entities work too &#39; &#x27; &#39 &#x27 so make sure you escape all characters within a js event like so:-

<a href="#" onclick="x='USERINPUT\x27\x22\x3c\x3e'">test</a>

and Twitter PLEASE fix this and related holes c’mon it’s been two months, it’s not rocket science to fix.

&apos; works on non-IE browsers but the other entities mentioned work fine on IE too.

6 Responses to “Twitter misidentifying context”

  1. c writes:

    Two good posts today. I’ve got about a day of security reviews for our web apps now. More interesting than whatever the fuck I would have been doing, though.

  2. James writes:

    Another reason not to use inline event handlers.

  3. Gareth Heyes writes:

    @James

    Yep exactly

  4. Mathias Bynens writes:

    Great post.

    Is the “Twitter poc (don’t tweet these results)” link supposed to alert something? Cause it’s not doing anything special over here. Perhaps WordPress ate parts of the URL or something?

  5. Gareth Heyes writes:

    @Mathias

    Yeah it executes alert(1) a couple of times, you’re probably using IE and so it won’t work as I use &apos; but if you use Firefox it will work when you click the “Tweet these results” it could work on other browsers using the alternative entities I mentioned in the post

  6. brain[pillow] writes:

    A little bit another vector:

    http://search.twitter.com/search?q=%26%2339%3B)%3Balert(%26%2339%3Bxek%26%2339%3B)%3B%2F%2F