5

I'm having a debate with one of my colleagues over how to prevent an XSS attack through the encoding of specific characters. Will escaping the < character with &lt; do the trick?

When I review the attack vector cheat sheet published by OWASP, it seems that all attacks use the < character as the basis of execution.

If this does not work, what attack would beat it?

rynmrtn
  • 3,371
  • 5
  • 28
  • 44
  • The short answer is no, it's not enough. The long answer is it depends on the context of where the user data goes. In an attribute it definitely will not be safe. In the body of certain tags, etc... – ircmaxell Apr 02 '14 at 00:57
  • The user data goes into the body of HTML elements. Attributes are not set dynamically. – rynmrtn Apr 02 '14 at 01:42
  • Have a look at the [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_\(Cross_Site_Scripting\)_Prevention_Cheat_Sheet) and you’ll see it doesn’t suffice. It all depends on the context in which the injection happens. Besides that, there is also DOM-based XSS. – Gumbo Apr 02 '14 at 04:18
  • possible duplicate of [Will HTML Encoding prevent all kinds of XSS attacks?](http://stackoverflow.com/questions/53728/will-html-encoding-prevent-all-kinds-of-xss-attacks) – Gumbo Apr 02 '14 at 04:19

1 Answers1

5

No, for the HTML body you will also need to encode the & character to prevent an attacker from potentially escaping the escape.

Check out the XSS Experimental Minimal Encoding Rules:-

HTML Body (up to HTML 4.01):

  • HTML Entity encode < &

  • specify charset in metatag to avoid UTF7 XSS

XHTML Body:

Note that if you want to enter stuff inside of an attribute value, then you need to properly encode all characters with special meaning. The XSS (Cross Site Scripting) Prevention Cheat Sheet mentions to encode the following characters:-

&,<, >, ", ', /

You must also quote the attribute value for the escaping to be effective.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • Would love to know what attacks can be carried out using the `&` character. – rynmrtn May 20 '14 at 02:16
  • 2
    @rynmrtn: Have a look at the filter evasion cheat sheet you posted a link to in your question. `` is one. This would be valid if your app generates the `IMG` tag, and the `SRC` is set by user input. – SilverlightFox May 20 '14 at 08:01