Cenzic 232 Patent
Paid Advertising
web application security lab

Forgetting Global Replace XSS Woes

One of the most common things I hear people say when they are writing perl programs is to remember to use the taint flag. I’ve always been one of those guys who knows enough not to leave strings un-cleansed and I never really saw the value in it. Firstly, it doesn’t tell you if something is vulnerable or not, it simply tells you that you are using it before making sure it’s clean. That in of itself may be of some use to some people, but I think it gives you a false sense of hope in a lot of ways. For instance, let’s take this snippet of code:

$var =~ s/"/"/;
$var =~ s/</&lt;/;
$var =~ s/>/&gt;/;

That would seem, at first blush to stop three characters (the open and close angle brackets and the double quote) from appearing in $var. Alas, it is missing one obvious thing that would have protected it. It is missing the “g” at the end of each of the pattern matches that would have globally changed the string. It’s a silly thing to forget, given that it’s clearly designed to stop XSS. And what is it vulnerable to? Let’s look at how it is outputted:

print '<INPUT TYPE="TEXT" value="', $var, '">';

So what it is vulnerable to is double the strings:

"">><<script>alert("XSS")</script>

Turns into:

<INPUT TYPE="TEXT" value="&quot;"&gt;>&lt;<script>alert("XSS")</script>">

Pretty silly vector but it works like a charm. But who would be stupid enough to mess up something this simple? Yup, you guessed it, me! That’s what I get for using old scripts written in 1995, written long before XSS was really understood and before I knew much about programming. Thank you to zeroknock for finding the issue and letting me know. See? Everyone makes mistakes!

5 Responses to “Forgetting Global Replace XSS Woes”

  1. zeno Says:

    You are so owned!!!!!!!! ;p

    - zeno
    http://www.cgisecurity.com/

  2. Spider Says:

    That makes so much more sense than it did in the rss reader I have. Your perl rendered as

    $var =~ s/”/”/;
    $var =~ s//>/;

    Rather than preserving the html entities.

  3. christ1an Says:

    Taint checking yeah… second time I read that term today. There have been some discussions on implementing taint mode in PHP but actually I’m not sure whether I like that idea.

  4. Chris_B Says:

    Cute! I guess I’m lucky that when I was writing syslog analyzers/report generators that I got into the habit of the trailing g after making that same sort of mistake too many times myself.

  5. ha.ckers.org web application security lab - Archive » Fixing XSS Can Cause Command Injection Says:

    […] ha.ckers.org web application security lab - Archive » Fixing XSS Can Cause Command Injection « Forgetting Global Replace XSS Woes […]