Why context sensitive escaping?

Hippo

unread,

Mar 5, 2018, 2:25:53 PM3/5/18

to null

OWASP recommends [1] that context-sensitive encoding needs to be done. Please help me in getting a couple of strong "code examples" on why context sensitive based encoding needs to be done and why HTML encoding alone won't help in those cases?

I know that it can help for unquoted attributes (is also explained in [2]) but for now let us assume that entire world is using quoted attributes [I know its impossible but just let's assume :/], can you help me in providing two more examples where HTML encoding will not help and lead to XSS attacks which would be protected if we had used context-sensitive encoding?

[1] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet [2] Will HTML Encoding prevent all kinds of XSS attacks?

N. V. R. K. RAJU

unread,

Mar 7, 2018, 11:37:11 PM3/7/18

to null-co-in@googlegroups\.com

Let's assume a java script accepting user value to its script variable. In case of html encoding, the ;alert(1); cannot be prevented. Thats just one case.

Regards,
Venkata Neelakantam

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

karniv0re

unread,

Mar 9, 2018, 1:58:36 PM3/9/18

to null

Context is extremely important when it comes to understanding what kind of payloads will slip by.

This is a very good article in understanding possible contexts in HTML/JS

http://blog.ironwasp.org/2014/07/contexts-and-cross-site-scripting-brief.html

Also, as Raju mentioned in his example, HTML encoding will not protect you if the injection is inside a "script" context. User input ;alert(1);// will trigger an alert as a PoC.

TAS

unread,

Mar 10, 2018, 2:38:39 AM3/10/18

to null-...@googlegroups.com

You can try different payloads to understand the same on the following link

https://public-firing-range.appspot.com/

--

______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.

To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

--

TAS

https://twitter.com/nullDubai

https://twitter.com/p0wnsauc3

https://www.facebook.com/nullDubai/

https://www.linkedin.com/groups/10321000

Reply all

Reply to author

Forward