7

I have been performing some / / on my site recently and noticed that modern (ie latest FF and Chrome) are escaping the urls entered into the address bar.

So:

http://example.com/search/?q="><script>alert('hi');</script>

is sent to my server as:

http://example.com/search/?q=%22%3e%3cscript%3ealert(%27hi%27)%3b%3c%2fscript%3e

Is there a list of all (major) browsers that do this and those that do not? Do mobile browsers do this?

Philip Pittle
  • 11,821
  • 8
  • 59
  • 123

2 Answers2

2

I think all browsers escape the urls except those haveing bugs and not following RFCs (RFC3986).

Community
  • 1
  • 1
Dennis C
  • 24,511
  • 12
  • 71
  • 99
  • Do you know which RFC off hand? – Philip Pittle Sep 09 '14 at 13:31
  • As according to RFC3986 http://tools.ietf.org/html/rfc3986 `2.4. Once produced, a URI is always in its percent-encoded form.` and where "query" can contains encoded, ALPHA, DIGIT or few other unserved. "<" and ">" are none of them, they MUST be encoded. In other side, some buggy browser(you know I mean IE) did accept unicode character incorrectly in the previous version. – Dennis C Sep 09 '14 at 14:03
  • 1
    This sounds a little odd to me. The RFC is almost 10 years old, yet none of the examples on XSS I've seen have ever mentioned that FF and Chrome are generally immune to bad links as they escape urls properly and it's only an IE problem. I'm not saying it's wrong, but do you have any more evidence? – Philip Pittle Sep 09 '14 at 18:13
  • @PhilipPittle Sure, the IE team have blogged about it. http://blogs.msdn.com/b/ieinternals/archive/2014/04/22/internet-explorer-11-unicode-utf8-url-query-string-international.aspx – Dennis C Sep 25 '14 at 12:13
1

If i am not mistaken you can use http://browsershots.org/ or something similar to test it.

Example test: http://browsershots.org/requests/12461378

Margus
  • 19,694
  • 14
  • 55
  • 103
  • Nice tool but not really for this purpose. Going through all those screenshots just to see the URL.. – MarioDS Sep 09 '14 at 14:20
  • @MDeSchaepmeester Idea is that if this injection works you would see popup on the image. This is not the best browser viewer (images get expired very fast), but idea remains. – Margus Sep 09 '14 at 14:25
  • Sorry, I should have been more clear, the example I gave above is only syntactical, it doesn't show a real attack. So while this tool is pretty cool, it's unfortunately not useful (AFAIK). The main browsers I have tried (FF, Chrome, IE) all mask the fact that they are doing this. In other words, you can't tell from the address bar that the url has been escaped. – Philip Pittle Sep 09 '14 at 18:02