Cross-Site Scripting (XSS) - around fourteen years old vulnerability is still on the rise and a continuous threat to the web applications. Only last year, 150505 defacements (this is a least, an XSS can do) have been reported and archived in Zone-H (a cybercrime archive). The online WYSIWYG (What You See Is What You Get) or rich-text editors are now a days an essential component of the web applications. They allow users of web applications to edit and enter HTML rich text (i.e., formatted text, images, links and videos etc.) inside the web browser window. The web applications use WYSIWYG editors as a part of comment functionality, private messaging among users of applications, blogs, notes, forums post, spellcheck as-you-type, ticketing feature, and other online services. The XSS in WYSIWYG editors is considered more dangerous and exploitable because the user-supplied rich-text contents (may be dangerous) are viewable by other users of web applications. In this paper, we present a security analysis of twenty (20) popular WYSIWYG editors powering thousands of web sites. The analysis includes WYSIWYG editors like Enterprise TinyMCE, EditLive, Lithium, Jive, TinyMCE, PHP HTML Editor, markltUp! universal markup jQuery editor, FreeTextBox (popular ASP.NET editor), Froala Editor, elRTE, and CKEditor. At the same time, we also analyze rich-text editors available on very popular sites like Twitter, Yahoo Mail, Amazon, GitHub and Magento and many more. In order to analyze online WYSIWYG editors, this paper also present a systematic and WYSIWYG editors's specific XSS attack methodology. We apply the XSS attack methodology on online WYSIWYG editors and found XSS is all of them. We show XSS bypasses for old and modern browsers. We have responsibly reported our findings to the respective developers of editors and our suggestions have been added. In the end, we also point out some recommendations for the developers of web applications and WYSIWYG editors.
展开▼
