Saturday, July 12, 2014
Posted by Paulos Yibelo
8 comments | 3:17 AM
Well I don’t know how to break it down for you, you just can’t (if the function is used properly and exactly where it should). But it’s more probable that most developers don’t use it the right way, since it’s like a norm for some developers to not use built-in functions properly :P. So I will talk about some of the cases I came up while pentesting. htmlentities() and htmlspecailchars() are functions mainly developed to filter out cross site scripting attacks.
Also the value attribute in html is not vulnerable since it only accepts strings and well we need scripts that can execute… something like href, onclick would do… but who would put such a foolish mistake right? Well you wouldn’t believe if I told you even big companies like Facebook does.
Have a code like?
print '<img src="'.htmlentities("$url").”';
print "<a href='".htmlentities($url)."'>Click Here</a>";
become something like
A hope! We broke out of the attribute so giving values like
will output html source like
So wow… our final payload to bypass the filter would look something like
paulos’ onfocus=alert(0); autofocus
Would successfully bypass the function htmlentities and prints out the source of
<a href='paulos' onfocus=alert(0) autofocus>Click Here</a>
Successful explotation of the function htmlentities. so why not use the switch to enable the single quote (‘) and make our code secured. something like
print "<a href='".htmlentities($url, ENT_QUOTES)."'>Click Here</a>";
print "<input type='text' value=".htmlentities("$value").">";
even when using ENT_QUOTES, this is when value attribute becomes vulnerable.
will successfully bypass the value parameter and make html code like
<input type='text' value=paulos onmouseover=alert(1);>
So not using quotes got us vulnerable, we will just use quotes then. Well I recommend not using single quotes… that’s when your code nearly becomes vulnerable when you forgot to use the switch ENT_QUOTES, which you probably will.
But this isn’t just it… attackers can still attack your application using a different character set called UTF-7 even when you are using proper usage of htmlentities, so unless you protect your code by setting your charset to UTF-8 or any other charset other that 7, you are still vulnerable to XSS. But more on that another time…