Wednesday, December 13, 2006

Xhtml XSS exploit

A few days ago I was discussing the security of our company's new webframework with Eamon. This framework is by design quite XSS-safe. Because the whole website is XML based we need to use XML everywhere. And if we take the user input as XHTML instead of HTML it's much easier to make sure it's valid. And it's very easy to clear a valid XHTML fragment of XSS attacks (by only allowing reasonable tags, and doing some filtering on valid urls).

But there's one pitfall. Since some browsers (looking at you MSIE) don't understand XHTML we need to serve the pages as text/html. If we now choose to serve the XHTML as is we might run into some trouble. Since XHTML allows some constructs which mean nothing in HTML we might be able to create a valid and safe XHTML document, which isn't safe if served as HTML. For instance, this is a possible attack vector.

<![CDATA[ >
<script src=""></script>
< ]]>

But since I'm not that skilled in XML, I don't know all possible constructs. But it might also be possible to do nasty things with namespaces for instance (let's say the script namespace). If anyone has additional attack vectors i'm very interested :)


Eamon Nerbonne said...

Clearly, you mean that input is taken as XHTML instead of as HTML... right?

Mark IJbema said...

Ehm, yes, of course, fixed it. Thanks for the comment ;)

Anonymous said...

Nice fill someone in on and this mail helped me alot in my college assignement. Thank you seeking your information.

Anonymous said...

Brim over I to but I dream the list inform should have more info then it has.