I have found a XSS vector inside html noscript tags. It is very simple and easy. This attack method is not new as it is already discussed in the context of other html tags such as title, textarea, style, etc.
For understanding this attack, first lets compose a simple html file with the following contents:
<noscript>
<script>alert('XSS')</script>
</noscript>
Then lets run this file in your browser (Example – noscript.html). You would notice that it won’t execute the javascript to show an alert box. The reason being:
- If you have javascript enabled, then any content inside noscript tags does not get parsed. Check the standards here.
- If you don’t have javascript enabled, then content inside noscript tags will be parsed. However, since javascript content is globally disabled, the javascript code inside noscript tags won’t execute as well.
So, then the only way left to execute our malicious XSS inside noscript html tags is to come out of the noscript tag using </noscript> and then use our simple XSS vector. Also, you should add the html comments start tag at the end to prevent any html parser errors. The complete attack vector looks like this:
"></noscript><script>alert('XSS')</script><!--
I have seen some real world examples where this attack is possible. It looks like that Developers have a false illusion in their minds that it is not required to escape user supplied content inside noscript html tags. This posting should help to open some eyes.
The example code given below comes from the html page of a mid-size company that aims to put the world wide web offline. Despite several attempts to contact the site owner, I have not received any response. Since this vulnerability still exists, I have removed the site’s name from the various images below.
1. Javascript content inside title tag is escaped.
2. Javascript content inside input tag is escaped.
3. Javascript content inside noscript tag is NOT escaped.
![[del.icio.us]](/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](/wp-content/plugins/bookmarkify/digg.png)
![[Facebook]](/wp-content/plugins/bookmarkify/facebook.png)
![[Google]](/wp-content/plugins/bookmarkify/google.png)
![[LinkedIn]](/wp-content/plugins/bookmarkify/linkedin.png)
![[Reddit]](/wp-content/plugins/bookmarkify/reddit.png)
![[StumbleUpon]](/wp-content/plugins/bookmarkify/stumbleupon.png)
![[Technorati]](/wp-content/plugins/bookmarkify/technorati.png)
![[Twitter]](/wp-content/plugins/bookmarkify/twitter.png)
![[Yahoo!]](/wp-content/plugins/bookmarkify/yahoo.png)
Tags: HTML, Javascript, Noscript, XSS
Encoding will work. Nice work.