Tream Tream - 2 months ago 14
PHP Question

XSS: How is this save?

I have following code:

echo "<span title='{$_GET["t"]}'>Foo</span>";


Obviously, this code is not XSS-Save, but when I call following URLs, no JavaScript is executed:


  1. url?t=Foo" onclick="alert(1)"

  2. url?t=<script>alert(1);</script>



Is the browser doing some magic work here? Is there any attack vector?

Answer

Why should it be? You'd be generating the following:

  1. <span title='Foo" onclick="alert(1)"'>Foo</span>
  2. <span title='<script>alert(1)</script>'>Foo</span>

Neither of which are valid html/javascript. The first one has mismatches in the quotes, so the tags are broken. The second one doesn't have javascript. it has a title attribute containing the characters <, s, c, etc... That's not javascript. It's just some TEXT that LOOKS like javascript.

To do XSS, whatever you inject HAS to produce valid code, otherwise it's just a syntax error for whatever environment you're injecting.

A working example would be:

http://example.com/script.php?t='><script>alert('1');</script><span+title='

which would generate

<span title=''><script>alert('1');</script><span title=''>Foo</span>
xxxxxxxxxxxxx0000000000000000000000000000000000000000000xxxxxxxxxxxx

Where x represents the original document, and 0 represents what you injected.

Comments