Fluid XSS

Fluid XSS

Following the advice given in this presentation, your Fluid templates and View Helpers will potentially enable various XSS attacks

6c980f722cf236da20f1bb9e9efeb731?s=128

Helmut Hummel

June 12, 2016
Tweet

Transcript

  1. Inspiring people to share Successfully enabling XSS Attacks with Fluid

    Fluid XSS Successfully enabling XSS Attacks with Fluid Helmut Hummel <info@helhum.io> 12.6.2016 1
  2. Cross Site-Scripting 2

  3. PHP Templating 3 <input name="foo" value="<?= $_GET['foo'] ?>" />

  4. 4

  5. Fluid Templating 5 <input name="foo" value="{foo}" />

  6. 6

  7. Fluid How to enable XSS with Fluid • Use variables

    in <script> tags in Fluid templates • Do NOT use data attributes to store data for JavaScript • Disable children escaping in ViewHelpers • Always pass HTML to ViewHelper arguments to avoid encoding • Always wrap variables with f:format.raw • Never use request format html to avoid encoding 7
  8. Inspiring people to share Fluid XSS Successfully enabling XSS Attacks

    with Fluid Fluid XSS Resources • https://github.com/helhum/fluid_security/commits/master • https://www.owasp.org/index.php/Cross-Site_Scripting 8
  9. 9 @helhum http://helhum.io info@helhum.io