Can someone tell me why / how this XSS vector works in a browser?

Question

Can someone tell me why / how this XSS vector works in a browser?

I have migrated several XSS attacks to my site. The following HTML snippet is an XSS vector that was introduced by an attacker:

<a href="mailto:"> <a href=\"http://www.google.com onmouseover=alert(/hacked/); \" target=\"_blank\"> <img src="http://www.google.com onmouseover=alert(/hacked/);" alt="" /> </a></a>

It seems that the script should not be executed, but with the help of the IE9 development tool, I was able to see that the browser translates HTML to the following:

 <a href="mailto:"/> <a onmouseover="alert(/hacked/);" href="\"http://www.google.com" target="\"_blank\"" \?=""> </a/>

After some testing, it turns out that "makes" onmouseover "an attribute of" live ", but I don’t know why. Does anyone know why this vector succeeds?

+6

security xss

opps 15 sept. '11 at 11:48

source share

1 answer

Erlend · Accepted Answer · 2011-09-16T11:50:44+0000

So, to summarize the comments: Sticking a character in front of a quote turns the quote into part of the attribute value instead of marking the beginning and end of the value. This works just as well:

 href=a"http://www.google.com onmouseover=alert(/hacked/); \"

HTML allows you to use quoteless attributes, so it becomes two attributes with the given values.

Can someone tell me why / how this XSS vector works in a browser?

More articles: