search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
27.06k stars 3.79k forks source link

Update: [XSS Filter Evasion Cheat Sheet] #1395

Open jeremyZX opened 2 months ago

jeremyZX commented 2 months ago

What is missing or needs to be updated?

Modern browsers generally ignore javascript: in <img> src attributes. Most of the examples listed which would execute javascript within an <img> src attribute no longer work, and may provide a false sense of security to development teams who are attempting to mitigate XSS while ignoring the examples which utilize <img src>.

However, the advice is still good, and almost entirely applicable if the examples are updated to <a> and href, instead.

How should this be resolved?

Update any example in the cheatsheet which relies on the execution of javascript in the src attribute of an <img> tag to use <a> and href.

mackowski commented 1 month ago

@jmanico and @kwwall what do you think about this?

jmanico commented 1 month ago

I haven't done the tests. I'm not sure if this is accurate out but if it is, I think it's a good edit.

kwwall commented 1 month ago

When I worked at WF doing secure code reviews, unless the application under review was explicitly checking the User-Agent request header and rejecting certain browsers, we always assumed that someone, somewhere was using an ancient browser so the code had to protect against that, including any malformed markup that it would accept that could lead to an exploitable vulnerability. (In fact, there was a standing joke that someone's grandparent would pull out their old Windows XP laptop out of the closet, fire it up, and do online banking using MSIE 6. :)

That said, I think that should be the working assumption here. We should note that javascript: is likely not to work as the src attribute value on the <img> tag for modern browsers, but I don't think we should just delete that text and simply replace it with the newer suggestion. Instead, just suggest the preferred way would be to try javascript:on href attribute for <a>.

The reason I don't think it should be deleted though is companies that are not checking UA for old browsers that accept javascript: for <img> src attribute may still find themselves liable for XSS that happens to their clients using those older browsers when grandma pulls out her XP laptop to use on some company's application. And even if liability were not an issue, if nothing else, it could still get spun as a negative news story sullying a company's reputation in not caring about their older or poorer clientele and reputational damage is important, especially for publicly traded companies.