[gnso-rds-pdp-wg] Additional JSON Flaws

Stephanie Perrin stephanie.perrin at mail.utoronto.ca
Wed Jun 8 22:01:47 UTC 2016 

Clearly this is a lot of work, Nathalie, for which many thanks.  I don't 
quite understand what this document has to do with the RDS exercise 
though, would you mind explaining the link?

Kind regards,

Stephanie Perrin


On 2016-06-08 17:39, nathalie coupet via gnso-rds-pdp-wg wrote:
> The following is a JavaScript security flaw:
> <script>
> varstr = "</script><script>alert('Pwned');</script>";
> </script>
> The browser ignores the fact that the<script> tags are inside a 
> JavaScript String, invoking the alert()function.
> The reason for this odd behavior is that the page gets rendered in 
> various stages. First the HTML is parsed, and a render tree created. 
> Only then, is the JavaScript actually executed. In the example above, 
> the render tree see the <script> tags, and is oblivious to the fact 
> that they’re inside a string; it has no concept of JavaScript. It 
> strips these out, and evaluates the script nodes as usual with our 
> injected message.
> This behavior would be little more than a curiosity, were it not for 
> the common pattern of injecting JSON into documents, say with ERB.
> <script>
> varusers = <%= @users.to_json.html_safe %>;
> </script>
> If you have the line above anywhere in your code, and @users includes 
> some user submitted data, your application is vulnerable to a XSS attack.
> *[SM-D01-R01] *If you’re using Rails, thwart this vulnerability by 
> settingActiveSupport.escape_html_entities_in_json to true. The default 
> isfalse.
> A JavaScript Security Flaw • Alex MacCaw 
> <https://blog.alexmaccaw.com/a-javascript-security-flaw>
>
>
> 	
>
>
> 	
>
>
>     A JavaScript Security Flaw • Alex MacCaw
>
> The following is a JavaScript security flaw: <script> var str =
> 	
>
> <https://blog.alexmaccaw.com/a-javascript-security-flaw>
>
> Nathalie Coupet
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160608/513e4089/attachment.html>

More information about the gnso-rds-pdp-wg mailing list