Don’t Trust, Always Test

Today we were looking for a BBCode interpreter. Primarily a .NET development team, after some frantic googling to see there was anything that we could use in the hope it has been tried, tested, and ultimately secure, there was a possibility.

Googling for ‘.NET bbcode’ results in this at the top of the page: Looks promising, and even confirms what we are after in the blurb:

We have used Pex ( to extensively test some important properties of this BBCode-Parser. We used Pex to ensure that the parser never crashes and that it never emits any dangerous tag such as , no matter what the input was. The user can type any HTML he wants but it will just get encoded, even when it is in unusual places like the href-attribute of the url-tag. If you have any questions about this you can post them on http// if you speak german. In other cases you can contact us by email in english.

Excellent, even singles out security. 60 seconds into a test ourselves, and we have this:

So what went wrong. Well the first thing is the way in which [url] tags are dealt with:

[url href=javascript:document.body.innerHTML=String.fromCharCode(88,83,83)]bbcode[/url]

Which results in the following HTML:


OK bad start, but it requires a user to click the link to execute, not the end of the world right? Well lets have a look at the [img] tag to see if that is any better:

[img] [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]
Results in:

<img src="  " />
OK, not fantastic. So whats the takeaway from this, well OWASP Top 10 for 2013 has this at number 9:

‘Using Components With Known Vulnerabilities’

And for good reason. It’s extremely easy to google for a library and have multiple sources tell you ‘this is secure, use this’. Always remember to security test your libraries before implementing.

Thanks to for the excellent bbcode injection examples and a great resource if you are attempting to test your own BBCode solution.


One thought on “Don’t Trust, Always Test

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s