[WEB SECURITY] The Marquee Tag and XSS

Ory Segal SEGALORY at il.ibm.com
Wed Jan 14 02:58:23 EST 2009


Did you consider the following injection vector:

<marquee style="width: expression(alert('XSS'));">Foobar</marquee>

Seems to be working well on my MS IE 7.0.5730.13

I guess it has nothing to do with "marquee" in specific, but still, I 
think it's worth remembering.


Ofer Shezaf <ofer at shezaf.com>
WebSecurity <websecurity at webappsec.org>
01/13/2009 07:41 PM
[WEB SECURITY] The Marquee Tag and XSS

A recent post in the ModSecurity mailing list
prompted me to discuss a prevailing misconception regarding XSS 
The poster requests a ModSecurity rule to block several HTML tags include
"<li>" and "<marquee>".  However, while commonly associated with XSS those
are HTML tags that are not normally part of an XSS attack. While the HTML
payload, even if not a script, can deface the attacked site, these tags
don't have more of a role in defacement than any other input. Some HTML 
such as "<div>" may be beneficial to defacement by enabling larger changes
on the defaced page, but "li", "ul" and "marquee" seem pretty harmless to

Saying that, it might be prudent to block any HTML tag as there might be 
XSS attack vector yet unknown that will take advantage of them, but then 
would want to block every HTML tag, not just those listed. Can you block 
HTML tags? Keep in mind that in many applications, mainly interactive 
HTML input is valid and useful. If not, you may be able to just block "<"
entirely to gain another layer of security.

"Marquee" is worth a special note: while you can find it sometimes in XSS
vectors posted on the web, it is not part of the attack but rather part of
the demo payload. We often see posted on the web attack vector such as 


The reason is that if the attack succeeds the resulting injected HTML 
scroll. However the keyword "marquee" is immaterial to the attack and 
never be used in a real attack.  I once heard a good story from a 
that found an XSS bug in an application and to prove it open a dialog 
"Gotcha!". He presented the results to the organizations and the 
promised to fix the issue, when he was back a fortnight later to examine 
fix he found out that the developers checked the input for the word
"Gotcha!". Marquee is not much different in this sense than Gotcha!

(blogged: http://blog.xiom.com/signatures-marquee)

~ Ofer

Ofer Shezaf
shezaf at xiom.com, +972-54-4431119

Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com
Chairman, OWASP Israel 
Leader, WASC Web Hacking Incidents Database Project

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090114/0a3b84d0/attachment.html>

More information about the websecurity mailing list