Encoding special characters in response which is text/javascript

Question

I am testing a web application where input from the user is inserted without encoding into the response, but the content type of the response is text/javascript;charset=UTF-8.

Input from two parameters from the user application returns inside the JavaScript like this:

throw 'allowScriptTagRemoting is false.';
//#DWR-INSERT
//#DWR-REPLY
var s0={};
dwr.engine._remoteHandleCallback('1','0',{application:"param1",changedParts:null,module:"param2",nextModule:null,reload:true,showDialog:false,strokeActions:s0,viewMember:""});

But when I am trying to end the remoteHandleCallback by inserting " and }, these characters are escaped with backslash and treated as a part of the string, for example:

application:"\"param1"

Is this a proper defense against XSS and other vulnerabilities?

Also, you could try the double escaping trick - what happneds if you pass `\"`? — Anders, Oct 31 '17 at 12:53
seems like JSON encoding, which has simple rules you can lookup. — dandavis, Oct 31 '17 at 23:40

score 0 · Answer 1 · answered Oct 31 '17 at 15:42

Since the response type is text/javascript, this is probably a js file being loaded and used. Loading this file directly in the browser will most likely not trigger an XSS even if you could inject the payload because of the content type not being text/html. See the following question for more info. If the response header content-type-options: nosniff is included, the risk is reduced further.

Since both " and } are properly encoded, it will be difficult to exploit. You could try different encodings to bypass the security encoding.

So all in all it looks like a proper defence against XSS.

Encoding special characters in response which is text/javascript

1 Answers1