How does a browser render this inline JavaScript within an encoded tag?

Question

I was trying to perform a Reflective XSS attack on a tutorial website. The webpage basically consists of a form with an input field and a submit button. On submitting the form, the content of the input field are displayed on the same webpage.

I figured out that the website is blacklisting script tag and some of the JavaScript methods in order to prevent an XSS attack. So, I decided to encode my input and then tried submitting the form. I tried 2 different inputs and one of them worked and the other one didn't.

When I tried:

<body onload="&#97lert('Hi')"></body>

It worked and an alert box was displayed. However, I when encoded some characters in the HTML tag, something like:

&#60body onload="&#97lert('Hi')"&#62&#60/body&#62

It didn't work! It simply printed <body onload="alert('Hi')"></body> as it is on the webpage!

I know that the browsers execute inline JavaScript as they parse an HTML document (please correct me if I'm wrong). But, I'm not able to understand why did the browser show different behavior for the different inputs that I've mentioned.

-------------------------------------------------------------Edit---------------------------------------------------------

I tired the same with a more basic XSS tutorial with no XSS protection. Again:

<script>alert("Hi")</script> -> Worked!

&#60s&#99ript&#62&#97lert("Hi")&#60/s&#99ript&#62 -> Didn't work! (Got printed as string on the Web Page)

So basically, if I encode anything in JavaScript, it works. But if I'm encoding anything that is HTML, it's not executing the JavaScript within that HTML!

Answer 1

When an HTML page says &#60body It treats it the same as if it said <body

That is, it just displays the encoded characters, doesn't parse them as HTML. So you're not creating a new tag with onload attributes http://jsfiddle.net/SSfNw/1/

alert(document.body.innerHTML);
// When an HTML page says <body It treats it the same as if it said <body  

So in your case, you're never creating a body tag, just content that ends up getting moved into the body tag http://jsfiddle.net/SSfNw/2/

alert(document.body.innerHTML)
// <body onload="alert('Hi')"></body>  

In the case <body onload="&#97lert('Hi')"></body>, the parser is able to create the body tag, once within the body tag, it's also able to create the onload attribute. Once within the attribute, everything gets parsed as a string.

Answer 2

I can't come up with words to describe the properly, so i'll just give you an example. Lets say we have this string:

<div>Hello World! &lt;span id="foo"&gt;Foobar&lt;/span&gt;</div>

When this gets parsed, you end up with a div element that contains the text:

Hello World! <span id="foo">Foobar</span>

Note, while there is something that looks like html inside the text, it is still just text, not html. For that text to become html, it would have to be parsed again.

Attributes work a little bit differently, html entities in attributes do get parsed the first time.

tl;dr:

if the service you are using is stripping out tags, there's nothing you can do about it unless the script is poorly written in a way that results in the string getting parsed twice.

Demo: http://jsfiddle.net/W6UhU/ note how after setting the div's inner html equal to it's inner text, the span becomes an html element rather than a string.