One way to bypass htmlentities

Hi researchers, it has been a long time since I have published and it is an excellent sign that I am working a lot!

The life of a bug bounty hunter is hard and we need to study a lot everyday.

I am researching deeper the options for vulnerability prevention functions and I have found some interesting things that I gradually will share them here.

There are a lof of techniques for prevention of Cross-Site Scripting and one of them for PHP is << htmlentities >>.

Many researchers when faced with this, give up for not finding a way to perform a bypass and a frustration is inevitable. When printing user input in an attribute of an HTML tag, the default configuration of htmlentities() DOES NOT protect you against XSS, when using single quotes to define the border of the tag’s attribute-value. XSS is then possible by injecting a single quote.
Let’s see:

Example01:
<?php
$_GET[‘color’] = “#000000' onload=’alert(document.cookie)”;
$body = htmlEntities($_GET[‘color’]);
print “<body bgcolor=’$body’>”;
?>

document.cookie

This is an insecure code and bad implementation of htmlentities.

The ‘ENT_QUOTES’ option DOES NOT PROTECT against javascript evaluation in certain tags attributes, for example: ‘href’ of the ‘a’ tag.
Example02:
<?php
$_GET[‘a’] = ‘javascript:alert(document.cookie)’;
$href = htmlEntities($_GET[‘a’], ENT_QUOTES);
print “<a href=’$href’>link</a>”;
?>

I am probing another techniques and I found interesting things that I will post here for our researchers community.

Happy Hacking fellows!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade