[gnso-rds-pdp-wg] Additional JSON Flaws
nathalie coupet
nathaliecoupet at yahoo.com
Wed Jun 8 21:39:32 UTC 2016
Thefollowing is a JavaScript security flaw:<script> var str = "</script><script>alert('Pwned');</script>"; </script> Thebrowser ignores the fact that the<script> tags are inside aJavaScript String, invoking the alert()function.Thereason for this odd behavior is that the page gets rendered in various stages.First the HTML is parsed, and a render tree created. Only then, is theJavaScript actually executed. In the example above, the render tree see the <script> tags, and is obliviousto the fact that they’re inside a string; it has no concept of JavaScript. Itstrips these out, and evaluates the script nodes as usual with our injectedmessage.Thisbehavior would be little more than a curiosity, were it not for the commonpattern of injecting JSON into documents, say with ERB.<script> var users = <%= @users.to_json.html_safe %>; </script> If youhave the line above anywhere in your code, and @users includes some usersubmitted data, your application is vulnerable to a XSS attack.[SM-D01-R01] Ifyou’re using Rails, thwart this vulnerability by settingActiveSupport.escape_html_entities_in_json to true. The default isfalse. A JavaScript Security Flaw • Alex MacCaw
|
|
|
| | |
|
|
|
| |
A JavaScript Security Flaw • Alex MacCaw
The following is a JavaScript security flaw: <script> var str = | |
|
|
Nathalie Coupet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160608/eeba415c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Additional JSON Flaws.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 14085 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160608/eeba415c/AdditionalJSONFlaws.docx>
More information about the gnso-rds-pdp-wg
mailing list