Skip to main content
Conference Proceedings

Systematically breaking online WYSIWYG editors

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (2015) 8909 122-133
DOI: 10.1007/978-3-319-15087-1_10
2Citations
Citations of this article
24Readers
Mendeley users who have this article in their library.
Get full text

Abstract

Cross-Site Scripting (XSS) — around fourteen years old vulnerability is still on the rise and a continuous threat to the web applications. Only last year, 150505 defacements (this is a least, an XSS can do) have been reported and archived in Zone-H (a cybercrime archive) (http://www.zone-h.org/). The online WYSIWYG (What You See Is What You Get) or rich-text editors are now a days an essential component of the web applications. They allow users of web applications to edit and enter HTML rich text (i.e., formatted text, images, links and videos etc.) inside the web browser window. The web applications use WYSIWYG editors as a part of comment functionality, private messaging among users of applications, blogs, notes, forums post, spellcheck as-youtype, ticketing feature, and other online services. The XSS in WYSIWYG editors is considered more dangerous and exploitable because the user-supplied rich-text contents (may be dangerous) are viewable by other users of web applications. In this paper, we present a security analysis of twenty (20) popular WYSIWYG editors powering thousands of web sites. The analysis includes WYSIWYG editors like Enterprise TinyMCE, EditLive, Lithium, Jive, TinyMCE, PHP HTML Editor, markItUp! universal markup jQuery editor, FreeTextBox (popular ASP.NET editor), Froala Editor, elRTE, and CKEditor. At the same time, we also analyze richtext editors available on very popular sites like Twitter, Yahoo Mail, Amazon, GitHub and Magento and many more. In order to analyze online WYSIWYG editors, this paper also present a systematic and WYSIWYG editors’s specific XSS attack methodology. We apply the XSS attack methodology on online WYSIWYG editors and found XSS is all of them. We show XSS bypasses for old and modern browsers. We have responsibly reported our findings to the respective developers of editors and our suggestions have been added. In the end, we also point out some recommendations for the developers of web applications and WYSIWYG editors.

Cite

CITATION STYLE

APA

Javed, A., & Schwenk, J. (2015). Systematically breaking online WYSIWYG editors. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8909, pp. 122–133). Springer Verlag. https://doi.org/10.1007/978-3-319-15087-1_10

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free