Today's Question:  What are you most afraid of as a programmer?        GIVE A SHOUT

Technical Article => Security =>  Server Security

Some hidden XSS injection vulnerabilities

  Peter      2012-08-27 20:32:08      4,964    0    0

XSS injection refers to a Web page generates some unexpected executable js codes based on user input  and these executable codes are executed by web browser,i.e, the source code sent to web browser by the server contains some illegal js codes, and these illegal js codes are related to user's input.

Common XSS injection vulnerabilities can be fixed with some functions such as htmlspecialchars(escaping HTML special characters) and strip_tags() or similar, but there are some hidden XSS injection vulnerabilities can not be fixed by the two functions above, and sometimes we are not allowed to remove HTML tags and special characters as business requirement. Here are two hidden XSS injection vulnerabilities we may encounter:

IE6/7 UTF7 XSS injection vulnerability

Hidden Index: 5

Damage Index: 5

This vulnerability is very subtle since the page only contains letters of the alphabets (ASCII character) and no illegal characters. htmlspecialchars and strip_tags functions do not work in this attack. However, this attack only works in IE6/IE7, from IE8, Microsoft has fixed this vulnerability. You can save the following codes to a text file(do not have spaces and line breaks at the beginning), and then open it with IE6 (no malicious code, just a demo):


JSONP applications are easy to be attacked by this method. The solution is to filter out all non-alpha, non-numeric character and non-underline or output spaces or line breaks at the beginning.

This attack only impact old version of IE6/IE7, Firefox / Chrome are not affected.

Incorrect concatenation of JavaScript / JSON code segment

Hidden Index: 5

Damage Index: 5

Web front-end programmers often add some dynamically generated JavaScript codes in PHP code or some template language, for example, the most common:

var a = '<?php echo htmlspecialchars ($ name); ?>';

$name may be entered by the user, and if the user enters a '; alert (1); , illegal JavaScript code are generated, that is XSS injection.

Before solving the problem, we need to think about what is the root cause of the problem? The root cause is that programmers can use string to control the whole world, but do not use the correct method to generate the correct string, instead they use a powerful but original "handmade string concatenation" method.

Just need to change the code above:

var a = <?php echo json_encode ($ name);?>;

Remove the single quotes and use PHP's json_encode() to generate a string that represents the string. You had better use json_encode() to generate all the JSON strings, instead of trying to concatenate the JSON string yourself. Unfortunately, programmers always make this mistake.

This vulnerability impacts all common browsers.

Useful tips:
● output HTML code using htmlspecialchars() or similar functions
● output JavaScript code using json_encode() or similar functions

Reference :



Share on Facebook  Share on Twitter  Share on Google+  Share on Weibo  Share on Reddit  Share on Digg  Share on Tumblr    Delicious



No comment for this article.


Project Ara, Another of Google’s Speculation. This time for modular phones

By hanryjames
Google is very adamant with the test of their new modular phones, nicknamed as Project Ara. The company is auspicious about the new concept where consumers can design their own phones by assembling parts from different manufacturers. The company is hopeful that there will be 20 to 30 interchangeable