Ggthjy

Organic chemistry Iodoform Reaction

Are Warlocks Arcane or Divine?

Is there a good way to store credentials outside of a password manager?

Why are on-board computers allowed to change controls without notifying the pilots?

Would it be legal for a US State to ban exports of a natural resource?

Identify a stage play about a VR experience in which participants are encouraged to simulate performing horrific activities

Freedom of speech and where it applies

Superhero words!

Resetting two CD4017 counters simultaneously, only one resets

Why isn't KTEX's runway designation 10/28 instead of 9/27?

Is exact Kanji stroke length important?

How will losing mobility of one hand affect my career as a programmer?

Is there enough fresh water in the world to eradicate the drinking water crisis?

Did US corporations pay demonstrators in the German demonstrations against article 13?

What is Sitecore Managed Cloud?

How can I raise concerns with a new DM about XP splitting?

How to deal with or prevent idle in the test team?

Can I Retrieve Email Addresses from BCC?

Is a naturally all "male" species possible?

Visiting the UK as unmarried couple

node command while defining a coordinate in TikZ

Is the next prime number always the next number divisible by the current prime number, except for any numbers previously divisible by primes?

Invariance of results when scaling explanatory variables in logistic regression, is there a proof?

Simulating a probability of 1 of 2^N with less than N random bits

Is XSS in canonical link possible?

XSS triggered but chrome didn't show popup. What exactly was going on?Stored Cross-Site Scripting Without Parentheses or SpacesXSS using JSF**kA possible router XSS vulnerabilityDoubt Vulnerability XSSLink shortener that virtualizes link for reflected XSS?Is this XSS filter vulnerableIs it possible to perform a XSS attack in the title/subtitle of a webpage?How to stop JS from executing when passed in as a parameter to the URL? (no script tags)XSS using User Agent, Possible?How does OWASP ZAP find Reflected XSS?

13

1

During regular pentesting of my site I discovered that I can close double quotes in a canonical link tag and enter an onerror attribute with a simple javascript alert(1).

It is visible in source code but javascript did not execute.

I also tried with onload event but same result.

Is there a way an attacker can use different payload to execute javascript ?

penetration-test xss

share|improve this question

edited yesterday

user101

asked yesterday

user101user101

1685

New contributor

user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  How about a >?
  
  – Bergi
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Bergi: Could you be more specific ?
  
  – user101
  19 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  You say that " is not properly escaped in the link tag attribute. Does it also accept > or < without transforming it to an entity reference?
  
  – Bergi
  19 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Bergi: No it does not. They are filtered out.
  
  – user101
  16 hours ago
  

  
  
  
  

add a comment | 

13

1

During regular pentesting of my site I discovered that I can close double quotes in a canonical link tag and enter an onerror attribute with a simple javascript alert(1).

It is visible in source code but javascript did not execute.

I also tried with onload event but same result.

Is there a way an attacker can use different payload to execute javascript ?

penetration-test xss

share|improve this question

edited yesterday

user101

asked yesterday

user101user101

1685

New contributor

user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  How about a >?
  
  – Bergi
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Bergi: Could you be more specific ?
  
  – user101
  19 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  You say that " is not properly escaped in the link tag attribute. Does it also accept > or < without transforming it to an entity reference?
  
  – Bergi
  19 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Bergi: No it does not. They are filtered out.
  
  – user101
  16 hours ago
  

  
  
  
  

add a comment | 

During regular pentesting of my site I discovered that I can close double quotes in a canonical link tag and enter an onerror attribute with a simple javascript alert(1).

It is visible in source code but javascript did not execute.

I also tried with onload event but same result.

Is there a way an attacker can use different payload to execute javascript ?

penetration-test xss

share|improve this question

edited yesterday

user101

asked yesterday

user101user101

1685

New contributor

user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited yesterday

user101

asked yesterday

user101user101

1685

New contributor

user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited yesterday

user101

asked yesterday

user101user101

1685

New contributor

user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked yesterday

user101user101

1685

New contributor

user101 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked yesterday

user101user101

1685

1 Answer
1

active

oldest

votes

12

You can use the same trick as can be used with hidden inputs:

<link rel="canonical" accesskey="X" onclick="alert(1)" />

On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.

Other than that, I see no way to exploit this in a modern browser without further code.

While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:

<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">

If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).

The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.

I tried all other event attributes, and none trigger on a normal page load.

This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.

If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).

share|improve this answer

edited yesterday

answered yesterday

timtim

24.2k668102

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.
  
  – user101
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  How to fix the issue then?
  
  – Nigel Fds
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @NigelFds: By filtering out characters like ", < and >.
  
  – user101
  19 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).
  
  – tim
  17 hours ago
  
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

user101 is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205975%2fis-xss-in-canonical-link-possible%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

12

You can use the same trick as can be used with hidden inputs:

<link rel="canonical" accesskey="X" onclick="alert(1)" />

On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.

Other than that, I see no way to exploit this in a modern browser without further code.

While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:

<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">

If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).

The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.

I tried all other event attributes, and none trigger on a normal page load.

This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.

If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).

share|improve this answer

edited yesterday

answered yesterday

timtim

24.2k668102

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.
  
  – user101
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  How to fix the issue then?
  
  – Nigel Fds
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @NigelFds: By filtering out characters like ", < and >.
  
  – user101
  19 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).
  
  – tim
  17 hours ago
  
  
  

  
  
  
  

add a comment | 

12

You can use the same trick as can be used with hidden inputs:

<link rel="canonical" accesskey="X" onclick="alert(1)" />

On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.

Other than that, I see no way to exploit this in a modern browser without further code.

While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:

<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">

If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).

The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.

I tried all other event attributes, and none trigger on a normal page load.

This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.

If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).

share|improve this answer

edited yesterday

answered yesterday

timtim

24.2k668102

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks ! You saved my day. For Windows ALT + X works too. This could be chained with clickjacking (if present in website) to execute Javascript.
  
  – user101
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  How to fix the issue then?
  
  – Nigel Fds
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @NigelFds: By filtering out characters like ", < and >.
  
  – user101
  19 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @NigelFds Most - but not all - of the time, you'd want to HTML-encode relevant characters (', ", <, >) when echoing user input. As this is in a URL context, you could also URL-encode the data (see OWASP which also has a good overview of XSS prevention in other contexts, and when encoding of ', ", <, > is not enough).
  
  – tim
  17 hours ago
  
  
  

  
  
  
  

add a comment | 

You can use the same trick as can be used with hidden inputs:

<link rel="canonical" accesskey="X" onclick="alert(1)" />

On Linux, use ALT+SHIFT+X to trigger the payload. IMHO it's enough to report the issue and get it fixed, but it does require some unlikely user interaction.

Other than that, I see no way to exploit this in a modern browser without further code.

While the link tag supports the onload attribute, it only fires when something is successfully loaded, eg:

<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">

If your injection were <link href="[user input]" rel="canonical">, then you could exploit it via http://somedomain/somecsssfile.css" rel="stylesheet" onload="alert(1).

The WHATWG spec defines that the first attribute must be used, so it is unlikely that any browser would use the second, so this will not work for your case.

I tried all other event attributes, and none trigger on a normal page load.

This blog post states that this would be exploitable under IE7 and IE8 by injecting a style attribute which then uses an expression to execute JavaScript.

If there is additional JavaScript code that insecurely processes elements, this might also become exploitable (see here for an interesting example).

share|improve this answer

edited yesterday

answered yesterday

timtim

24.2k668102

<link rel="stylesheet" href="http://localhost/test.css" onload="alert(1)">

share|improve this answer

edited yesterday

answered yesterday

timtim

24.2k668102

answered yesterday

timtim

24.2k668102

answered yesterday

timtim

24.2k668102