Is XSS in canonical link possible?












13















During regular pentesting of my site I discovered that I can close double quotes in a canonical link tag and enter an onerror attribute with a simple javascript alert(1).



enter image description here



It is visible in source code but javascript did not execute.



enter image description here



I also tried with onload event but same result.



Is there a way an attacker can use different payload to execute javascript ?










share|improve this question









New contributor




user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 4





    How about a >?

    – Bergi
    yesterday











  • @Bergi: Could you be more specific ?

    – user101
    22 hours ago






  • 1





    You say that " is not properly escaped in the link tag attribute. Does it also accept > or < without transforming it to an entity reference?

    – Bergi
    21 hours ago











  • @Bergi: No it does not. They are filtered out.

    – user101
    19 hours ago
















13















During regular pentesting of my site I discovered that I can close double quotes in a canonical link tag and enter an onerror attribute with a simple javascript alert(1).



enter image description here



It is visible in source code but javascript did not execute.



enter image description here



I also tried with onload event but same result.



Is there a way an attacker can use different payload to execute javascript ?










share|improve this question









New contributor




user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 4





    How about a >?

    – Bergi
    yesterday











  • @Bergi: Could you be more specific ?

    – user101
    22 hours ago






  • 1





    You say that " is not properly escaped in the link tag attribute. Does it also accept > or < without transforming it to an entity reference?

    – Bergi
    21 hours ago











  • @Bergi: No it does not. They are filtered out.

    – user101
    19 hours ago














13












13








13


1






During regular pentesting of my site I discovered that I can close double quotes in a canonical link tag and enter an onerror attribute with a simple javascript alert(1).



enter image description here



It is visible in source code but javascript did not execute.



enter image description here



I also tried with onload event but same result.



Is there a way an attacker can use different payload to execute javascript ?










share|improve this question









New contributor




user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












During regular pentesting of my site I discovered that I can close double quotes in a canonical link tag and enter an onerror attribute with a simple javascript alert(1).



enter image description here



It is visible in source code but javascript did not execute.



enter image description here



I also tried with onload event but same result.



Is there a way an attacker can use different payload to execute javascript ?







penetration-test xss






share|improve this question









New contributor




user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday







user101













New contributor




user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









user101user101

1685




1685




New contributor




user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 4





    How about a >?

    – Bergi
    yesterday











  • @Bergi: Could you be more specific ?

    – user101
    22 hours ago






  • 1





    You say that " is not properly escaped in the link tag attribute. Does it also accept > or < without transforming it to an entity reference?

    – Bergi
    21 hours ago











  • @Bergi: No it does not. They are filtered out.

    – user101
    19 hours ago














  • 4





    How about a >?

    – Bergi
    yesterday











  • @Bergi: Could you be more specific ?

    – user101
    22 hours ago






  • 1





    You say that " is not properly escaped in the link tag attribute. Does it also accept > or < without transforming it to an entity reference?

    – Bergi
    21 hours ago











  • @Bergi: No it does not. They are filtered out.

    – user101
    19 hours ago








4




4





How about a >?

– Bergi
yesterday





How about a >?

– Bergi
yesterday













@Bergi: Could you be more specific ?

– user101
22 hours ago





@Bergi: Could you be more specific ?

– user101
22 hours ago




1




1





You say that " is not properly escaped in the link tag attribute. Does it also accept > or < without transforming it to an entity reference?

– Bergi
21 hours ago





You say that " is not properly escaped in the link tag attribute. Does it also accept > or < without transforming it to an entity reference?

– Bergi
21 hours ago













@Bergi: No it does not. They are filtered out.

– user101
19 hours ago





@Bergi: No it does not. They are filtered out.

– user101
19 hours ago










1 Answer
1






active

oldest

votes


















12














You can use the same trick as can be used with hidden inputs:




<link rel="canonical" accesskey="X" onclick="alert(1)" />



On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.



Other than that, I see no way to exploit this in a modern browser without further code.



While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:



<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">


If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).



The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.



I tried all other event attributes, and none trigger on a normal page load.



This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.



If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).






share|improve this answer


























  • Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.

    – user101
    yesterday











  • How to fix the issue then?

    – Nigel Fds
    yesterday






  • 1





    @NigelFds: By filtering out characters like ", < and >.

    – user101
    22 hours ago








  • 1





    @NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).

    – tim
    20 hours ago













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






user101 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205975%2fis-xss-in-canonical-link-possible%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









12














You can use the same trick as can be used with hidden inputs:




<link rel="canonical" accesskey="X" onclick="alert(1)" />



On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.



Other than that, I see no way to exploit this in a modern browser without further code.



While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:



<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">


If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).



The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.



I tried all other event attributes, and none trigger on a normal page load.



This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.



If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).






share|improve this answer


























  • Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.

    – user101
    yesterday











  • How to fix the issue then?

    – Nigel Fds
    yesterday






  • 1





    @NigelFds: By filtering out characters like ", < and >.

    – user101
    22 hours ago








  • 1





    @NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).

    – tim
    20 hours ago


















12














You can use the same trick as can be used with hidden inputs:




<link rel="canonical" accesskey="X" onclick="alert(1)" />



On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.



Other than that, I see no way to exploit this in a modern browser without further code.



While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:



<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">


If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).



The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.



I tried all other event attributes, and none trigger on a normal page load.



This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.



If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).






share|improve this answer


























  • Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.

    – user101
    yesterday











  • How to fix the issue then?

    – Nigel Fds
    yesterday






  • 1





    @NigelFds: By filtering out characters like ", < and >.

    – user101
    22 hours ago








  • 1





    @NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).

    – tim
    20 hours ago
















12












12








12







You can use the same trick as can be used with hidden inputs:




<link rel="canonical" accesskey="X" onclick="alert(1)" />



On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.



Other than that, I see no way to exploit this in a modern browser without further code.



While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:



<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">


If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).



The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.



I tried all other event attributes, and none trigger on a normal page load.



This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.



If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).






share|improve this answer















You can use the same trick as can be used with hidden inputs:




<link rel="canonical" accesskey="X" onclick="alert(1)" />



On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.



Other than that, I see no way to exploit this in a modern browser without further code.



While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:



<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">


If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).



The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.



I tried all other event attributes, and none trigger on a normal page load.



This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.



If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).







share|improve this answer














share|improve this answer



share|improve this answer








edited yesterday

























answered yesterday









timtim

24.2k668102




24.2k668102













  • Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.

    – user101
    yesterday











  • How to fix the issue then?

    – Nigel Fds
    yesterday






  • 1





    @NigelFds: By filtering out characters like ", < and >.

    – user101
    22 hours ago








  • 1





    @NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).

    – tim
    20 hours ago





















  • Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.

    – user101
    yesterday











  • How to fix the issue then?

    – Nigel Fds
    yesterday






  • 1





    @NigelFds: By filtering out characters like ", < and >.

    – user101
    22 hours ago








  • 1





    @NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).

    – tim
    20 hours ago



















Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.

– user101
yesterday





Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.

– user101
yesterday













How to fix the issue then?

– Nigel Fds
yesterday





How to fix the issue then?

– Nigel Fds
yesterday




1




1





@NigelFds: By filtering out characters like ", < and >.

– user101
22 hours ago







@NigelFds: By filtering out characters like ", < and >.

– user101
22 hours ago






1




1





@NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).

– tim
20 hours ago







@NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).

– tim
20 hours ago












user101 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















user101 is a new contributor. Be nice, and check out our Code of Conduct.













user101 is a new contributor. Be nice, and check out our Code of Conduct.












user101 is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205975%2fis-xss-in-canonical-link-possible%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Masuk log Menu navigasi

Identifying “long and narrow” polygons in with PostGISlength and width of polygonWhy postgis st_overlaps reports Qgis' “avoid intersections” generated polygon as overlapping with others?Adjusting polygons to boundary and filling holesDrawing polygons with fixed area?How to remove spikes in Polygons with PostGISDeleting sliver polygons after difference operation in QGIS?Snapping boundaries in PostGISSplit polygon into parts adding attributes based on underlying polygon in QGISSplitting overlap between polygons and assign to nearest polygon using PostGIS?Expanding polygons and clipping at midpoint?Removing Intersection of Buffers in Same Layers

Старые Смолеговицы Содержание История | География | Демография | Достопримечательности | Примечания | НавигацияHGЯOLHGЯOL41 206 832 01641 606 406 141Административно-территориальное деление Ленинградской области«Переписная оброчная книга Водской пятины 1500 года», С. 793«Карта Ингерманландии: Ивангорода, Яма, Копорья, Нотеборга», по материалам 1676 г.«Генеральная карта провинции Ингерманландии» Э. Белинга и А. Андерсина, 1704 г., составлена по материалам 1678 г.«Географический чертёж над Ижорскою землей со своими городами» Адриана Шонбека 1705 г.Новая и достоверная всей Ингерманландии ланткарта. Грав. А. Ростовцев. СПб., 1727 г.Топографическая карта Санкт-Петербургской губернии. 5-и верстка. Шуберт. 1834 г.Описание Санкт-Петербургской губернии по уездам и станамСпецкарта западной части России Ф. Ф. Шуберта. 1844 г.Алфавитный список селений по уездам и станам С.-Петербургской губернииСписки населённых мест Российской Империи, составленные и издаваемые центральным статистическим комитетом министерства внутренних дел. XXXVII. Санкт-Петербургская губерния. По состоянию на 1862 год. СПб. 1864. С. 203Материалы по статистике народного хозяйства в С.-Петербургской губернии. Вып. IX. Частновладельческое хозяйство в Ямбургском уезде. СПб, 1888, С. 146, С. 2, 7, 54Положение о гербе муниципального образования Курское сельское поселениеСправочник истории административно-территориального деления Ленинградской области.Топографическая карта Ленинградской области, квадрат О-35-23-В (Хотыницы), 1930 г.АрхивированоАдминистративно-территориальное деление Ленинградской области. — Л., 1933, С. 27, 198АрхивированоАдминистративно-экономический справочник по Ленинградской области. — Л., 1936, с. 219АрхивированоАдминистративно-территориальное деление Ленинградской области. — Л., 1966, с. 175АрхивированоАдминистративно-территориальное деление Ленинградской области. — Лениздат, 1973, С. 180АрхивированоАдминистративно-территориальное деление Ленинградской области. — Лениздат, 1990, ISBN 5-289-00612-5, С. 38АрхивированоАдминистративно-территориальное деление Ленинградской области. — СПб., 2007, с. 60АрхивированоКоряков Юрий База данных «Этно-языковой состав населённых пунктов России». Ленинградская область.Административно-территориальное деление Ленинградской области. — СПб, 1997, ISBN 5-86153-055-6, С. 41АрхивированоКультовый комплекс Старые Смолеговицы // Электронная энциклопедия ЭрмитажаПроблемы выявления, изучения и сохранения культовых комплексов с каменными крестами: по материалам работ 2016-2017 гг. в Ленинградской области