Fluid XSS

Transcript

1. Inspiring people to share Successfully enabling XSS Attacks with Fluid

   Fluid XSS Successfully enabling XSS Attacks with Fluid Helmut Hummel <[email protected]> 12.6.2016 1

2. Cross Site-Scripting 2

3. PHP Templating 3 <input name="foo" value="<?= $_GET['foo'] ?>" />

4. 4

5. Fluid Templating 5 <input name="foo" value="{foo}" />

6. 6

7. Fluid How to enable XSS with Fluid • Use variables

   in <script> tags in Fluid templates • Do NOT use data attributes to store data for JavaScript • Disable children escaping in ViewHelpers • Always pass HTML to ViewHelper arguments to avoid encoding • Always wrap variables with f:format.raw • Never use request format html to avoid encoding 7

8. Inspiring people to share Fluid XSS Successfully enabling XSS Attacks

   with Fluid Fluid XSS Resources • https://github.com/helhum/fluid_security/commits/master • https://www.owasp.org/index.php/Cross-Site_Scripting 8

9. 9 @helhum http://helhum.io [email protected]