Many websites have a WYSIWYG editor.
You may not even realise that you are using one, but – if you think about it – chances are that many of the sites that you visit allow you make forum posts, publish blog entries, post private messages, update wiki entries, submit support tickets, create signatures or leave comments.
All of these are very likely to incorporate some rich content elements.
Sure, it’s very nice to be able to embed images, or format your text with italics and hyperlinks, but is this flexibility unwittingly leaving a door open for attackers?
Security researcher Ashar Javed raised the issue in a talk entitled “Revisiting XSS Sanitization” at Blackhat Europe last week.
Javed, who has previously been awarded bug bounties after finding vulnerabilities on popular websites, used a simple methodology to test the web-based WYSIWYG editors used on many sites.
His plan? To see if he could trick a WYSIWYG editor into popping up a message-box containing the number “1” rather than sanitized content.
Some of the websites Javed examined relied upon third-party editor libraries and could potentially be being used on millions of other websites. All it would take was for one such editor library to have a vulnerability and attackers could have a field day.
It is some concern, therefore, to learn that Javed discovered that many WYSIWYG online editors proved to be vulnerable to cross-site scripting (XSS) attacks.
Commonly, web-based WYSIWYG editors were vulnerable to mischievous injections when it came to inserting and editing images, embedding URLS, uploading files and videos.
One of the problems that Javed identified was that the developers of WYSIWYG editors think it is the responsibility of those developing the website or back-end server-side systems to perform the sanitization. Meanwhile, time-strapped website developers who pull a WYSIWG editor off the shelf and plug it into their site are imagining that all the hard work has been done for them.
Javed’s solution is to develop a so-called “Unbreakable sanitizer/filter” that does the tricky job of making sure content entered into WYSIWYG editors is safe – and cannot be used to exploit an XSS vulnerability.
If you’re curious, you can try out his XSS Filter, and try to bypass it with some JavaScript.
Javed ran an open challenge for two weeks, inviting anyone to attempt to bypass his filter with an XSS attack. During that time there were over 78,000 attempts recorded from 1035 unique IP addresses but nobody has managed it so far.
More details of Javed’s research can be found in this white paper [PDF] and in the slides he presented at Blackhat Europe.
If your company has a website, or relies upon a web application, that you think might be at risk be sure to take a long hard look at it and ensure that you are properly sanitizing its input and output to prevent a malicious attacker from exploiting any weaknesses.