Nested HTML is not sanitized - <<img=""/>img src=1 onerror=alert('XSS');>

[Vicente Villegas Larios]

I'm wondering if this is a OWASP bug. 

Using the following XSS, looks like OWASP sanitized didn't remove all the dangerous scripts.

<<img=""/>img src=1 onerror=alert('XSS');>

This is the result after running sanitized 

<img src=1 onerror=alert('XSS');>

is that a bug? or do I need to do something else to sanitized the content? I'm thinking that I have to call the sanitized from a "loop", but this is not a good idea because it could end up in an endless loop. (I can avoid that endless loop, but this feels more like OWASP bug)

Thank you for your help!!

-- Vicente

[Mike Samuel]

On Tue, Nov 7, 2017 at 1:57 PM, Vicente Villegas Larios
<cei...@gmail.com> wrote:
> I'm wondering if this is a OWASP bug.
>
>
> Using the following XSS, looks like OWASP sanitized didn't remove all the
> dangerous scripts.
>
> <<img=""/>img src=1 onerror=alert('XSS');>
>
>
> This is the result after running sanitized
>
> <img src=1 onerror=alert('XSS');>

I'm getting a different result.
The unittest below passes

assertEquals(
"&lt;img src&#61;1 onerror&#61;alert(&#39;XSS&#39;);&gt;",
Sanitizers.IMAGES.sanitize("<<img=\"\"/>img src=1
onerror=alert('XSS');>"));

This looks like the result you report but HTML encoded.
Where are you seeing the result you reported? Is it in text viewed in
a browser?

>
> is that a bug? or do I need to do something else to sanitized the content?
> I'm thinking that I have to call the sanitized from a "loop", but this is
> not a good idea because it could end up in an endless loop. (I can avoid
> that endless loop, but this feels more like OWASP bug)

If do see that unencoded result with a different policy, that would be a
bug with security consequences. Please report those kind of violations via
https://bugcrowd.com/owaspjavasanitizer where you'll be eligible for
a bounty, and where we can work on having a fix ready before making
the vulnerability public.

>
> Thank you for your help!!
>
>
>
> -- Vicente
>

> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jim Manico]

Can we get more details?

1) What sanitizer version are you using?
2) What does your policy look like?
3) What does the before and after input look like to you?

Aloha,
--
Jim Manico
@Manicode

[Jim Manico]

Can you please report this on GitHub so we can track it?

Aloha, Jim

--

[Mike Samuel]

On Tue, Nov 7, 2017 at 9:30 PM, Jim Manico <jim.m...@owasp.org> wrote:
> Can you please report this on GitHub so we can track it?

Vicente was kind enough to report it via bugcrowd where it was
determined to be a false positive.

[Vicente Villegas Larios]

hello all, 

sorry for the delay in my answers. 

I'm getting the same result than you, but in my case we are unescaping the HTML (which is leading to the vulnerability). It is easily fixed in my function just calling again the sanitizer, but I was thinking that the call to "Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).sanitize(XSS).trim();"  should remove all the dangerous JS instead it is just escaping it, that's why I was thinking this was a OWASP bug.

Thank you all for you help!!!

-- Vicente Villegas

PS. Let me know if you still want me to report this in GitHub

On Wed, Nov 8, 2017 at 2:09 PM, Mike Samuel <mikes...@gmail.com> wrote:

On Tue, Nov 7, 2017 at 9:30 PM, Jim Manico <jim.m...@owasp.org> wrote:
> Can you please report this on GitHub so we can track it?

Vicente was kind enough to report it via bugcrowd where it was
determined to be a false positive.

> Aloha, Jim
>
>
> On 11/7/17 10:57 AM, Vicente Villegas Larios wrote:
>
> I'm wondering if this is a OWASP bug.
>
>
> Using the following XSS, looks like OWASP sanitized didn't remove all the
> dangerous scripts.
>
> <<img=""/>img src=1 onerror=alert('XSS');>
>
>
> This is the result after running sanitized
>
> <img src=1 onerror=alert('XSS');>
>
>
> is that a bug? or do I need to do something else to sanitized the content?
> I'm thinking that I have to call the sanitized from a "loop", but this is
> not a good idea because it could end up in an endless loop. (I can avoid
> that endless loop, but this feels more like OWASP bug)
>
>
> Thank you for your help!!
>
>
>
> -- Vicente
>
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

[Mike Samuel]

On Nov 8, 2017 4:59 PM, "Vicente Villegas Larios" <cei...@gmail.com> wrote:

hello all, 

sorry for the delay in my answers. 

I'm getting the same result than you, but in my case we are unescaping the HTML (which is leading to the vulnerability). It is easily fixed in my function just calling again the sanitizer, but I was thinking that the call to "Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).sanitize(XSS).trim();"  should remove all the dangerous JS instead it is just escaping it, that's why I was thinking this was a OWASP bug.

One thing to keep in mind is that <<img> is a less-than sign followed by a tag.  The sanitizer isn't escaping any tags, just making sure that text nodes present in the input are consistently escaped.