Small XSS Paper : Dangerous HREF Attributes which don't have quotes
Some web application doesn't care about web standards. Using quotes in "href" attributes in links is important for standards and also it's important for security.
Developer can fix XSS attacks by filtering these strings but if they don't use quotes in their links they still vulnerable.
POC & Details;
Possible Attack URL;
- This will not work because we already filtered HTML.
But this works;
I injected XSS via style::expression() method because we still can not use quotes and brackets.
Hijacking onclick action; If you hijack onclick it will be executed when victim clicks to link.
Some Realword Examples;
Inject an image to page which send cookie to attacker server (ie : http://attacker/ )
Redirect Page to http://attacker/?[cookies] URL with active user cookie.
This code will execute this JS when browser renders link;
- I use String.fromCharCode() in these samples because of our victim filtered out HTML so I still can not use brackets and some other special chars. Go http://ferruh.mavituna.com/stringfromcharcode.asp for online String.fromCharCode() generator.
How to protect ?;
Use quotes to fix this problem.
Secure HTML Code;
Author;Ferruh Mavituna http://ferruh.mavituna.com