All user input must be properly escaped and encoded to prevent cross-site scripting. While the idea of sanitizing user input is nothing new to most developers, many of them encode special characters and fail to account for how the resulting document will handle the input. HTML encoding without proper escaping can lead to malicious code execution in the DOM.
Be sure to note that all of the following descriptions and comments are dependent on how the application output encodes the related content and, therefore, may not reflect the actual injection.
<img src="CoolPic.jpg" onclick="doSomethingCool('userInput');" />
Now here’s the same image that has been hi-jacked by an attacker with an encoded payload:
<img src="CoolPic.jpg" onclick="doSomethingCool('userInput');sendHaxor(document.cookie);//');" />
The hacker’s injection uses HTML decimal entity encoding with multiple zeros to show support for padding. When a user interacts with the altered image, the DOM will evaluate the original function, followed by the hacker’s injection, followed by double slashes to clean up any trailing residue from the original syntax. All of the character encoding presented immediately below will work across all current browsers, with the exception of HTML name entity apostrophe in Internet Explorer.
<a href="doSomethingCool('userInput');">Cool Link</a>
The hacker likes the “super-cool” link so much that he decides to add his own content to capture the user’s session:
<a href="doSomethingCool('userInput%27);sendHaxor(document.cookie);//');">Cool Link</a>
<img src="CoolPic.jpg" onclick="doSomethingCool('userInput\\\');attackerBlocked();//');" />
Jason Calvert @mystech7
Application Security Engineer
WhiteHat Security, Inc.