HTML Encoding Form Post

Question

A user has sent me some information that they posted to one of my pages with potential XSS issues however, looking at the server side code I don't think it would ever run through my code smoothly.

They said they sent this:

forminfo=%27+%7C%7C+%27%27+%7C%7C+%27%25booleantest%3Atrue%2Ctrue%2Ctrue

I have looked at this and have worked out that %27 is a Apostrophy and %7C is a Pipe character which could be risky.

However if the data comes into my app in that format it will crash as it does string manipulation on the posted information. It does a string split on a colon (:) character. forminfo is the name of one of my HTML input elements

If it came in as

forminfo=' || '' || '%booleantest:true,true,true

then its more clear and I can see better what they sent and how the code would deal with the input.

Therfore are they saying that they posted data in an encrypted manner? Would my app know how to deal with the encrypted posted data and unencrypt it somehow?

They didn't get an error but if I run the code myself it errors.

Can you explain what might have happened?

Answer 1

hex and base64 encoded JavaScript can be decoded and rendered within your page - if your page is rending the form data (the injected JavaScript) back to the browser.

To better protect your site, you might want to look into the XSS (Cross Site Scripting) Cheat Sheet or Cross-site Scripting (XSS)

Answer 2

The following is URLEncoded data:

forminfo=%27+%7C%7C+%27%27+%7C%7C+%27%25booleantest%3Atrue%2Ctrue%2Ctrue

If your application would have issues with:

forminfo=' || '' || '%booleantest:true,true,true

Then you indeed have a problem because that is what your helpful user is trying to tell you.