This is an important post for me, not because it’s ground breaking but people don’t seem to get this when using data in certain context. If you are a dev please read this and read it until you understand it because if you misidentify context you fail and you fail pretty badly.
I reported this to twitter about two months ago, they responded and fixed four xss holes but two remain and they didn’t contact me to test the fix.
When you are including user input inside a javascript event within a string what do you have to escape? If you answered: ‘”<>\
You are wrong. Twitter is wrong.
Take the following example:-
<a href=# onclick="x= 'USERINPUT' ">test</a>
So you can place your input within the single quotes and there is a place on twitter that does this:-
twitterTheseResults(’ \"\’xss’,'/search?q=&a…
Here they are escaping " with \" and ‘ with \’. But that isn’t enough! Why? Because it’s a javascript onclick event! Inside an event you have to escape entities! All of them!
Consider the following vector:-
',alert(1),'
No single quotes but ' still acts as one. Please look at this test and make sure you understand how it works:-
http://tinyurl.com/xssyoda
Don’t forget other entities work too ' ' ' ' so make sure you escape all characters within a js event like so:-
<a href="#" onclick="x='USERINPUT\x27\x22\x3c\x3e'">test</a>
and Twitter PLEASE fix this and related holes c’mon it’s been two months, it’s not rocket science to fix:-
Twitter poc (don’t tweet these results)
' works on non-IE browsers but the other entities mentioned work fine on IE too.
Comments 6
Two good posts today. I’ve got about a day of security reviews for our web apps now. More interesting than whatever the fuck I would have been doing, though.
Posted 23 Nov 2009 at 4:10 pm ¶Another reason not to use inline event handlers.
Posted 25 Nov 2009 at 12:29 pm ¶@James
Yep exactly
Posted 25 Nov 2009 at 12:34 pm ¶Great post.
Is the “Twitter poc (don’t tweet these results)” link supposed to alert something? Cause it’s not doing anything special over here. Perhaps WordPress ate parts of the URL or something?
Posted 25 Nov 2009 at 1:11 pm ¶@Mathias
Yeah it executes alert(1) a couple of times, you’re probably using IE and so it won’t work as I use ' but if you use Firefox it will work when you click the “Tweet these results” it could work on other browsers using the alternative entities I mentioned in the post
Posted 25 Nov 2009 at 2:06 pm ¶A little bit another vector:
http://search.twitter.com/search?q=%26%2339%3B)%3Balert(%26%2339%3Bxek%26%2339%3B)%3B%2F%2F
Posted 14 Jan 2010 at 4:50 am ¶Post a Comment