AnsweredAssumed Answered

onEvent vulnerabilities

Question asked by George Peters on Dec 28, 2010
Latest reply on Jan 10, 2011 by George Peters

I recently recieved some output of a client company's QualysGuard report that reported a high number of potential XSS vulnerabilities with various parameters passed the value:

 

=%22%20onEvent%3dblahblahblah%20

 

inserted into the URL, as well as the same thing with a %27 rather than %22.  The pattern was found reflected in the source of the page, and thus recorded as a possible vulnerability.  There are many, many pages with this finding, and rather than check the specific source for each one, I'd like to better understanda the potential threat vectors his represents and what would constitute a global fix to them.

 

I should note that I tried the same URLs with < and > (and %3E and %3C) and these were consistently filtered out, and much of the code that manages these pages is opaque to me.

 

I would like to better understand the range of contexts where a quote and onEvent is exploitable, and a range of solutions, which might provide a global fix to the vulnerability.  I do not think that we can simply encode all quotes, as some pages/parameters may need to accept an unencoded quote.  But is the the particular threat eliminated if we can strip and/or encode quotes and doublequotes?  If we can't strip out all quotes, is a valid approach to filter out onEncode?  Filter out all event handlers (onblur, onmouseover, etc.)?  Is it only a danger for XSS if these parameters are inserted into a script?

 

Can anyone point me to a reference or describe the range of ways in which this could be exploited?

 

Thanks,

George

Outcomes