[WEB SECURITY] The Marquee Tag and XSS

Ofer Shezaf ofer at shezaf.com
Wed Jan 14 03:54:43 EST 2009


I agree, but as you said it is not specific to marquee. Any HTML tag would


<div style="width: expression(alert('XSS'));">Foobar</div> 

or  <p style="width: expression(alert('XSS'));">Foobar</p>


I guess I should rephrase that every HTML tag in the input poses some
security and therefore my recommendation to block all tags if the
application does not need HTML input is important. 


Saying that, the way to detect using signatures the attack vector you bring
is using the element vital to the attack: the expression in styles feature
in IE.


~ Ofer


Ofer Shezaf [shezaf at xiom.com, +972-54-4431119, www.xiom.com]


From: Ory Segal [mailto:SEGALORY at il.ibm.com] 
Sent: Wednesday, January 14, 2009 9:58 AM
To: Ofer Shezaf
Cc: WebSecurity
Subject: Re: [WEB SECURITY] The Marquee Tag and XSS



Did you consider the following injection vector: 

<marquee style="width: expression(alert('XSS'));">Foobar</marquee> 

Seems to be working well on my MS IE 7.0.5730.13 

I guess it has nothing to do with "marquee" in specific, but still, I think
it's worth remembering. 



Ofer Shezaf <ofer at shezaf.com> 


WebSecurity <websecurity at webappsec.org> 


01/13/2009 07:41 PM 


[WEB SECURITY] The Marquee Tag and XSS



A recent post in the ModSecurity mailing list
( <http://permalink.gmane.org/gmane.comp.apache.mod-security.user/5745>
prompted me to discuss a prevailing misconception regarding XSS protection.
The poster requests a ModSecurity rule to block several HTML tags include
"<li>" and "<marquee>".  However, while commonly associated with XSS those
are HTML tags that are not normally part of an XSS attack. While the HTML
payload, even if not a script, can deface the attacked site, these tags
don't have more of a role in defacement than any other input. Some HTML tags
such as "<div>" may be beneficial to defacement by enabling larger changes
on the defaced page, but "li", "ul" and "marquee" seem pretty harmless to

Saying that, it might be prudent to block any HTML tag as there might be an
XSS attack vector yet unknown that will take advantage of them, but then you
would want to block every HTML tag, not just those listed. Can you block all
HTML tags? Keep in mind that in many applications, mainly interactive ones,
HTML input is valid and useful. If not, you may be able to just block "<"
entirely to gain another layer of security.

"Marquee" is worth a special note: while you can find it sometimes in XSS
vectors posted on the web, it is not part of the attack but rather part of
the demo payload. We often see posted on the web attack vector such as this:


The reason is that if the attack succeeds the resulting injected HTML would
scroll. However the keyword "marquee" is immaterial to the attack and would
never be used in a real attack.  I once heard a good story from a pen-tester
that found an XSS bug in an application and to prove it open a dialog saying
"Gotcha!". He presented the results to the organizations and the developers
promised to fix the issue, when he was back a fortnight later to examine the
fix he found out that the developers checked the input for the word
"Gotcha!". Marquee is not much different in this sense than Gotcha!

(blogged:  <http://blog.xiom.com/signatures-marquee>

~ Ofer

Ofer Shezaf
shezaf at xiom.com, +972-54-4431119

Founder, Xiom.com, Proactive Web Application Security,
<http://www.xiom.com/> http://www.xiom.com
Chairman, OWASP Israel 
Leader, WASC Web Hacking Incidents Database Project

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090114/0e9789c0/attachment.html>

More information about the websecurity mailing list