October 23, 2024
Chicago 12, Melborne City, USA
OiO.lk Blog security Identify which browsers are vulnerable to XSS attacks through inline-styles?
security

Identify which browsers are vulnerable to XSS attacks through inline-styles?

  • by
  • October 23, 2024
  • 0 Comments
  • 2 minutes read
  • 2 Views
  • 6 hours ago


Our corporate security policy has a restriction that prevents adding comments to ServiceNow work notes and comments that include embedded HTML. The reasoning is that the user could inject malicious HTML with JavaScript, though I’m not convinced this policy is still valid as ServiceNow has added improvements since this feature was introduced in 2017. We’d like to enable it, so I’m trying to validate the extent of that security risk.

Out of the box, ServiceNow has an HTML Sanitizer that has both a whitelist and backlist of HTML elements and their attributes.

While the following is not a comprehensive list, here’s the sample code that I’m using for testing:

Possible XSS attacks:

1. [code]<script>alert('XSS Attack!');</script>[/code]
2. [code]<img src="image.jpg" onerror="alert('XSS Attack!');" />[/code]
3. [code]<iframe src="https://www.google.com"></iframe>[/code]
4. [code]<a href="javascript:alert('XSS Attack!');">Link</a>[/code]
5. [code]<div style="background-image: url('javascript:alert(\'XSS Attack\')');"></div>[/code]
6. [code]<input type="text" value="XSS" onfocus="alert('XSS Attack');" />[/code]

As expected, the resulting HTML obtained from the browser shows that the HTMLSanitizer either HTML encoded or stripped out the elements and attributes that would allow for code injection:

<br>Possible XSS attacks:
<br>
<br>1. &lt;script&gt;alert('XSS Attack!');&lt;/script&gt;
<br>2. <img src="image.jpg">
<br>3. <iframe></iframe>
<br>4. Link
<br>5. <div style="background-image: url('javascript:alert(\'XSS Attack\')');"></div>
<br>6. <input type="text"></div>

The only exception is the CSS attack through an inline-style where a URL could point to a JavaScript block:

<div style="background-image: url('javascript:alert(\'XSS Attack\')');" />

The Network tab of the Developer tools shows that the inline style was evaluated, but failed with a net::ERR_UNKNOWN_URL_SCHEME

net::ERR_UNKNOWN_URL_SCHEME

It appears that Chrome 129 doesn’t recognize the javascript: url scheme in this context.

As I’m not a web developer, is there a good reference material that would list which browsers support this and would therefore be vulnerable?



You need to sign in to view this answers

Share This Post:

Leave feedback about this

  • Quality
  • Price
  • Service

PROS

+
Add Field

CONS

+
Add Field
Choose Image
Choose Video

Related Post

GPL

Free GPL Intense – Shortcodes and Site Builder for

October 23, 2024
javascript

Returning undefined and NaN

October 23, 2024
SQL

Can i retrieve the existing Roots of a view

October 23, 2024
CSS

How to put images inside their boxes without cutting

October 23, 2024
HTML

Fill the interior of an SVG path

October 23, 2024
Android

Error: There was a problem parsing the package

October 23, 2024