[WEB SECURITY] The Marquee Tag and XSS

Ory Segal SEGALORY at il.ibm.com
Wed Jan 14 02:58:23 EST 2009


Hey,

Did you consider the following injection vector:

<marquee style="width: expression(alert('XSS'));">Foobar</marquee>

Seems to be working well on my MS IE 7.0.5730.13

I guess it has nothing to do with "marquee" in specific, but still, I 
think it's worth remembering.

-Ory





From:
Ofer Shezaf <ofer at shezaf.com>
To:
WebSecurity <websecurity at webappsec.org>
Date:
01/13/2009 07:41 PM
Subject:
[WEB SECURITY] The Marquee Tag and XSS



A recent post in the ModSecurity mailing list
(http://permalink.gmane.org/gmane.comp.apache.mod-security.user/5745)
prompted me to discuss a prevailing misconception regarding XSS 
protection.
The poster requests a ModSecurity rule to block several HTML tags include
"<li>" and "<marquee>".  However, while commonly associated with XSS those
are HTML tags that are not normally part of an XSS attack. While the HTML
payload, even if not a script, can deface the attacked site, these tags
don't have more of a role in defacement than any other input. Some HTML 
tags
such as "<div>" may be beneficial to defacement by enabling larger changes
on the defaced page, but "li", "ul" and "marquee" seem pretty harmless to
me.

Saying that, it might be prudent to block any HTML tag as there might be 
an
XSS attack vector yet unknown that will take advantage of them, but then 
you
would want to block every HTML tag, not just those listed. Can you block 
all
HTML tags? Keep in mind that in many applications, mainly interactive 
ones,
HTML input is valid and useful. If not, you may be able to just block "<"
entirely to gain another layer of security.

"Marquee" is worth a special note: while you can find it sometimes in XSS
vectors posted on the web, it is not part of the attack but rather part of
the demo payload. We often see posted on the web attack vector such as 
this:

                 '">><marquee><h1>XSS</h1></marquee>

The reason is that if the attack succeeds the resulting injected HTML 
would
scroll. However the keyword "marquee" is immaterial to the attack and 
would
never be used in a real attack.  I once heard a good story from a 
pen-tester
that found an XSS bug in an application and to prove it open a dialog 
saying
"Gotcha!". He presented the results to the organizations and the 
developers
promised to fix the issue, when he was back a fortnight later to examine 
the
fix he found out that the developers checked the input for the word
"Gotcha!". Marquee is not much different in this sense than Gotcha!

(blogged: http://blog.xiom.com/signatures-marquee)

~ Ofer

Ofer Shezaf
shezaf at xiom.com, +972-54-4431119

Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com
Chairman, OWASP Israel 
Leader, WASC Web Hacking Incidents Database Project





----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090114/0a3b84d0/attachment.html>


More information about the websecurity mailing list