Is XSS in canonical link possible? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)XSS triggered but chrome didn't show popup. What exactly was going on?Stored Cross-Site Scripting Without Parentheses or SpacesXSS using JSF**kA possible router XSS vulnerabilityDoubt Vulnerability XSSLink shortener that virtualizes link for reflected XSS?Is this XSS filter vulnerableIs it possible to perform a XSS attack in the title/subtitle of a webpage?How to stop JS from executing when passed in as a parameter to the URL? (no script tags)XSS using User Agent, Possible?How does OWASP ZAP find Reflected XSS?
How many time has Arya actually used Needle?
Can gravitational waves pass through a black hole?
Keyboard layout stuck into CZ_german no english layout after update, restore into original EN_us and EL_Gr ones
Understanding piped command in Gnu/Linux
Centre cell contents vertically
Did any compiler fully use 80-bit floating point?
Fit odd number of triplets in a measure?
Weaponising the Grasp-at-a-Distance spell
systemd and copy (/bin/cp): no such file or directory
Inverse square law not accurate for non-point masses?
Obtaining packet switch-port information via a mirrored port?
Flight departed from the gate 5 min before scheduled departure time. Refund options
Did John Wesley plagiarize Matthew Henry...?
Are there any irrational/transcendental numbers for which the distribution of decimal digits is not uniform?
By what mechanism was the 2017 General Election called?
Is it Possible to Dye Cloth/Leather with Blood?
Updates not showing on Software Updater?
Vertical ranges of Column Plots in 12
Does the main washing effect of soap come from foam?
Simple Line in LaTeX Help!
Does the Rock Gnome trait Artificer's Lore apply when you aren't proficient in History?
Twin's vs. Twins'
Find general formula for the terms
First paper to introduce the "principal-agent problem"
Is XSS in canonical link possible?
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)XSS triggered but chrome didn't show popup. What exactly was going on?Stored Cross-Site Scripting Without Parentheses or SpacesXSS using JSF**kA possible router XSS vulnerabilityDoubt Vulnerability XSSLink shortener that virtualizes link for reflected XSS?Is this XSS filter vulnerableIs it possible to perform a XSS attack in the title/subtitle of a webpage?How to stop JS from executing when passed in as a parameter to the URL? (no script tags)XSS using User Agent, Possible?How does OWASP ZAP find Reflected XSS?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
During regular pentesting of my site I discovered that I can close double quotes in a canonical link tag and enter an onerror attribute with a simple javascript alert(1).
It is visible in source code but javascript did not execute.
I also tried with onload event but same result.
Is there a way an attacker can use different payload to execute javascript ?
penetration-test xss
asked Mar 24 at 12:31
RahulRahul
191211
add a comment |
During regular pentesting of my site I discovered that I can close double quotes in a canonical link tag and enter an onerror attribute with a simple javascript alert(1).
It is visible in source code but javascript did not execute.
I also tried with onload event but same result.
Is there a way an attacker can use different payload to execute javascript ?
penetration-test xss
asked Mar 24 at 12:31
RahulRahul
191211
4
How about a>?
– Bergi
Mar 24 at 21:40
@Bergi: Could you be more specific ?
– Rahul
Mar 25 at 6:54
1
You say that"is not properly escaped in the link tag attribute. Does it also accept>or<without transforming it to an entity reference?
– Bergi
Mar 25 at 7:18
@Bergi: No it does not. They are filtered out.
– Rahul
Mar 25 at 9:42
add a comment |
During regular pentesting of my site I discovered that I can close double quotes in a canonical link tag and enter an onerror attribute with a simple javascript alert(1).
It is visible in source code but javascript did not execute.
I also tried with onload event but same result.
Is there a way an attacker can use different payload to execute javascript ?
penetration-test xss
asked Mar 24 at 12:31
RahulRahul
191211
During regular pentesting of my site I discovered that I can close double quotes in a canonical link tag and enter an onerror attribute with a simple javascript alert(1).
It is visible in source code but javascript did not execute.
I also tried with onload event but same result.
Is there a way an attacker can use different payload to execute javascript ?
penetration-test xss
penetration-test xss
asked Mar 24 at 12:31
RahulRahul
191211
asked Mar 24 at 12:31
RahulRahul
191211
edited Mar 24 at 12:39
Rahul
asked Mar 24 at 12:31
RahulRahul
191211
asked Mar 24 at 12:31
RahulRahul
191211
asked Mar 24 at 12:31
RahulRahul
191211
191211
4
How about a>?
– Bergi
Mar 24 at 21:40
@Bergi: Could you be more specific ?
– Rahul
Mar 25 at 6:54
1
You say that"is not properly escaped in the link tag attribute. Does it also accept>or<without transforming it to an entity reference?
– Bergi
Mar 25 at 7:18
@Bergi: No it does not. They are filtered out.
– Rahul
Mar 25 at 9:42
add a comment |
4
How about a>?
– Bergi
Mar 24 at 21:40
@Bergi: Could you be more specific ?
– Rahul
Mar 25 at 6:54
1
You say that"is not properly escaped in the link tag attribute. Does it also accept>or<without transforming it to an entity reference?
– Bergi
Mar 25 at 7:18
@Bergi: No it does not. They are filtered out.
– Rahul
Mar 25 at 9:42
4
4
How about a
>?– Bergi
Mar 24 at 21:40
How about a
>?– Bergi
Mar 24 at 21:40
@Bergi: Could you be more specific ?
– Rahul
Mar 25 at 6:54
@Bergi: Could you be more specific ?
– Rahul
Mar 25 at 6:54
1
1
You say that
" is not properly escaped in the link tag attribute. Does it also accept > or < without transforming it to an entity reference?– Bergi
Mar 25 at 7:18
You say that
" is not properly escaped in the link tag attribute. Does it also accept > or < without transforming it to an entity reference?– Bergi
Mar 25 at 7:18
@Bergi: No it does not. They are filtered out.
– Rahul
Mar 25 at 9:42
@Bergi: No it does not. They are filtered out.
– Rahul
Mar 25 at 9:42
add a comment |
1 Answer
1
active
oldest
votes
You can use the same trick as can be used with hidden inputs:
<link rel="canonical" accesskey="X" onclick="alert(1)" />
On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.
Other than that, I see no way to exploit this in a modern browser without further code.
While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:
<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">
If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).
The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.
I tried all other event attributes, and none trigger on a normal page load.
This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.
If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).
answered Mar 24 at 15:46
timtim
24.9k674103
Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.
– Rahul
Mar 24 at 18:09
How to fix the issue then?
– Nigel Fds
Mar 25 at 0:56
1
@NigelFds: By filtering out characters like ", < and >.
– Rahul
Mar 25 at 6:56
1
@NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).
– tim
Mar 25 at 8:56
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205975%2fis-xss-in-canonical-link-possible%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can use the same trick as can be used with hidden inputs:
<link rel="canonical" accesskey="X" onclick="alert(1)" />
On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.
Other than that, I see no way to exploit this in a modern browser without further code.
While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:
<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">
If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).
The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.
I tried all other event attributes, and none trigger on a normal page load.
This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.
If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).
answered Mar 24 at 15:46
timtim
24.9k674103
Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.
– Rahul
Mar 24 at 18:09
How to fix the issue then?
– Nigel Fds
Mar 25 at 0:56
1
@NigelFds: By filtering out characters like ", < and >.
– Rahul
Mar 25 at 6:56
1
@NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).
– tim
Mar 25 at 8:56
add a comment |
You can use the same trick as can be used with hidden inputs:
<link rel="canonical" accesskey="X" onclick="alert(1)" />
On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.
Other than that, I see no way to exploit this in a modern browser without further code.
While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:
<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">
If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).
The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.
I tried all other event attributes, and none trigger on a normal page load.
This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.
If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).
answered Mar 24 at 15:46
timtim
24.9k674103
Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.
– Rahul
Mar 24 at 18:09
How to fix the issue then?
– Nigel Fds
Mar 25 at 0:56
1
@NigelFds: By filtering out characters like ", < and >.
– Rahul
Mar 25 at 6:56
1
@NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).
– tim
Mar 25 at 8:56
add a comment |
You can use the same trick as can be used with hidden inputs:
<link rel="canonical" accesskey="X" onclick="alert(1)" />
On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.
Other than that, I see no way to exploit this in a modern browser without further code.
While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:
<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">
If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).
The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.
I tried all other event attributes, and none trigger on a normal page load.
This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.
If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).
answered Mar 24 at 15:46
timtim
24.9k674103
You can use the same trick as can be used with hidden inputs:
<link rel="canonical" accesskey="X" onclick="alert(1)" />
On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.
Other than that, I see no way to exploit this in a modern browser without further code.
While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:
<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">
If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).
The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.
I tried all other event attributes, and none trigger on a normal page load.
This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.
If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).
answered Mar 24 at 15:46
timtim
24.9k674103
edited Mar 24 at 21:50
answered Mar 24 at 15:46
timtim
24.9k674103
answered Mar 24 at 15:46
timtim
24.9k674103
answered Mar 24 at 15:46
timtim
24.9k674103
24.9k674103
Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.
– Rahul
Mar 24 at 18:09
How to fix the issue then?
– Nigel Fds
Mar 25 at 0:56
1
@NigelFds: By filtering out characters like ", < and >.
– Rahul
Mar 25 at 6:56
1
@NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).
– tim
Mar 25 at 8:56
add a comment |
Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.
– Rahul
Mar 24 at 18:09
How to fix the issue then?
– Nigel Fds
Mar 25 at 0:56
1
@NigelFds: By filtering out characters like ", < and >.
– Rahul
Mar 25 at 6:56
1
@NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).
– tim
Mar 25 at 8:56
Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.
– Rahul
Mar 24 at 18:09
Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.
– Rahul
Mar 24 at 18:09
How to fix the issue then?
– Nigel Fds
Mar 25 at 0:56
How to fix the issue then?
– Nigel Fds
Mar 25 at 0:56
1
1
@NigelFds: By filtering out characters like ", < and >.
– Rahul
Mar 25 at 6:56
@NigelFds: By filtering out characters like ", < and >.
– Rahul
Mar 25 at 6:56
1
1
@NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).
– tim
Mar 25 at 8:56
@NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).
– tim
Mar 25 at 8:56
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205975%2fis-xss-in-canonical-link-possible%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
How about a
>?– Bergi
Mar 24 at 21:40
@Bergi: Could you be more specific ?
– Rahul
Mar 25 at 6:54
1
You say that
"is not properly escaped in the link tag attribute. Does it also accept>or<without transforming it to an entity reference?– Bergi
Mar 25 at 7:18
@Bergi: No it does not. They are filtered out.
– Rahul
Mar 25 at 9:42