Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fluid XSS

Fluid XSS

Following the advice given in this presentation, your Fluid templates and View Helpers will potentially enable various XSS attacks

Helmut Hummel

June 12, 2016
Tweet

More Decks by Helmut Hummel

Other Decks in Technology

Transcript

  1. Inspiring people to share Successfully enabling XSS Attacks with Fluid

    Fluid XSS Successfully enabling XSS Attacks with Fluid Helmut Hummel <[email protected]> 12.6.2016 1
  2. Cross Site-Scripting 2

  3. PHP Templating 3 <input name="foo" value="<?= $_GET['foo'] ?>" />

  4. 4

  5. Fluid Templating 5 <input name="foo" value="{foo}" />

  6. 6

  7. Fluid How to enable XSS with Fluid • Use variables

    in <script> tags in Fluid templates • Do NOT use data attributes to store data for JavaScript • Disable children escaping in ViewHelpers • Always pass HTML to ViewHelper arguments to avoid encoding • Always wrap variables with f:format.raw • Never use request format html to avoid encoding 7
  8. Inspiring people to share Fluid XSS Successfully enabling XSS Attacks

    with Fluid Fluid XSS Resources • https://github.com/helhum/fluid_security/commits/master • https://www.owasp.org/index.php/Cross-Site_Scripting 8
  9. 9 @helhum http://helhum.io [email protected]