8

Is it possible to bypass an XSS filter where < and " are encoded as &lt; and &quot;, but > is not escaped?

My data is injected into an HTML value attribute. However I can't get out of it since " is escaped.

Characters that are filtered:

'';!--"<XSS>=&{()}

are evaluated as:

&#39;&#39;;!--&quot;&lt;XSS>=&amp;{()}
Arminius
  • 43,922
  • 13
  • 140
  • 136
Ogglas
  • 677
  • 4
  • 12
  • 26
  • In a way, this is a duplicate of [HTML: Should I encode greater than or not? ( > > )](http://stackoverflow.com/questions/9010678/html-should-i-encode-greater-than-or-not-gt). – 700 Software Nov 10 '16 at 17:20

1 Answers1

11

No, if " is properly escaped there is no way to get beyond the HTML attribute value.

Your browser parses HTML as a state machine. To verify which state transitions are possible with your available characters, you can look up the state in the HTML5 syntax specification. In your case, these are the options:

8.2.4.38 Attribute value (double-quoted) state

Consume the next input character:

U+0022 QUOTATION MARK (")
    Switch to the after attribute value (quoted) state.
U+0026 AMPERSAND (&)
    Switch to the character reference in attribute value state, with the additional allowed character being U+0022 QUOTATION MARK (").
U+0000 NULL
    Parse error. Append a U+FFFD REPLACEMENT CHARACTER character to the current attribute's value.
EOF
    Parse error. Switch to the data state. Reconsume the EOF character.
Anything else
    Append the current input character to the current attribute's value.

As you can see, the only way to get out of the quoted Attribute value state is via the corresponding quotation mark (" or ' respectively). Any other character just adds to the current attribute's value. Even angle brackets and control characters have no special meaning inside an attribute.

So, in this particular case it's also irrelevant how < and > are handled. This does not trigger:

<input type="text" value="<script>alert('No bounty for you.')</script>">
Arminius
  • 43,922
  • 13
  • 140
  • 136