Twitter misidentifying context
Monday, 23 November 2009
This is an important post for me, not because it’s ground breaking but people don’t seem to get this when using data in certain context. If you are a dev please read this and read it until you understand it because if you misidentify context you fail and you fail pretty badly.
I reported this to twitter about two months ago, they responded and fixed four xss holes but two remain and they didn’t contact me to test the fix.
You are wrong. Twitter is wrong.
Take the following example:-
<a href=# onclick="x= 'USERINPUT' ">test</a>
So you can place your input within the single quotes and there is a place on twitter that does this:-
Consider the following vector:-
No single quotes but ' still acts as one. Please look at this test and make sure you understand how it works:-
Don’t forget other entities work too ' ' ' ' so make sure you escape all characters within a js event like so:-
<a href="#" onclick="x='USERINPUT\x27\x22\x3c\x3e'">test</a>
and Twitter PLEASE fix this and related holes c’mon it’s been two months, it’s not rocket science to fix.
' works on non-IE browsers but the other entities mentioned work fine on IE too.