Wednesday, 31 December 2014

// // Leave a Comment

How Can We Bypass HTMLEntities Tutorial


How Can We Bypass HTMLEntities Tutorial ?
The Security researcher Paulos Yibelo share with HAOW that how he bypassing htmlentities().
Well I don’t know how to break it down for you, you just can’t (if the function is used properly and exactly where it should). But it’s more probable that most developers don’t use it the right way, since it’s like a norm for some developers to not use built-in functions properly :P. So I will talk about some of the cases I came up while pentesting. htmlentities() and htmlspecailchars() are functions mainly developed to filter out cross site scripting attacks.

But I can promise you that you can build a better function if your user input is massive since that’s when most exploitation scenarios begin. How? Well, the functions html entity the characters < , > “ and ‘. So without those there seems there is no XSS. Or isn’t really? Well, I can think of one. Something like javascript:alert(1); will be executed since none of the characters in it are filtered to be html entityed… but there is a limitation to this. Without using “> or any similar technique we will not be able to break out of the attribute we are inside.


Also the value attribute in html is not vulnerable since it only accepts strings and well we need scripts that can execute… something like href, onclick would do… but who would put such a foolish mistake right? Well you wouldn’t believe if I told you even big companies like Facebook does.
Have a code like?

                               print '<img src="'.htmlentities("$url").”';
or even   

          print "<a href='".htmlentities($url)."'>Click Here</a>"; 

“javascript:alert(1);” will bypass it because it doesn’t contain the characters that will be filtered. But notice a limitation here? Our code will only execute if user clicks the Click Here button. So that’s a huge limitation. Or is it? The html code will become something like
 

             <a href='javascript:alert(1);'>Click Here</a>

 But we need to break out of the href tag and execute a more malicious javascript. But how? If we try to break out of it using ‘> it won’t work since both those characters are filtered out… and the code will become something like


<a href='javascript:alert(1);&quot;&gt;'>Click Here</a>

Right? Well not exactly. Htmlentities comes with single quote ( ‘ ) not filtered by default and you have to specify a special switch called ENT_QUOTES to declare that. So the real output when values like “javascript:alert(1);’>” is given

<a href='javascript:alert(1);'&gt;'>Click Here</a>

A hope! We broke out of the attribute so giving values like

javascript:alert(1);’ onfocus=alert(1); autofocus

will output html source like
 

0 comments:

Post a Comment