Photo of Terence Eden. He has a beard and is smiling.

Responsible Disclosure - John Lewis

· 550 words · read ~844 times.

The HTML5 specification is complicated. I've been an author on it, and even I couldn't tell you all the weird little gotchas it contains. Between that and "idiosyncratic" browser engines, it's a wonder the world wide web works at all.

Let's talk about the humble <meta> element. As its name suggests, it contains metadata about the document. A typical element might look like this:

<meta name="description" content="Search our shop for great deals!">

What can the content tag contain? Text! Specifically, text where certain characters have to be encoded into their HTML entities. Now, to be fair, neither the W3C specification nor the WHAT-WG spec mention how text should be encoded. They both just say:

The value must be a free-form string that describes the page.

Obviously, you should encode a " character to &quot; because otherwise the browser might think that's the end of the string. But the spec doesn't mention that when talking about meta elements.

Create a document which has this meta element:

HTML HTML<meta name="description" content="My name is "Terence <em>Eden</em>" what's yours?">

And you'll see this echoed into the page:

Eden" what's yours?">

Most browsers interpret rogue HTML in the <head> as <body> content.

"Search for the hero inside yourself (ukulele cover)"

The John Lewis shop website had this problem. If you searched for lorem<em>ipsum you saw this: Text leaking into a website.

The server correctly encodes the text in:

<meta name="description" content="Search results for &quot;lorem<em>ipsum&quot; on John Lewis & Partners. Free delivery on orders over £50" />

But it incorrectly encoded it in the OpenGraph meta element: Broken meta element in HTML code.

The server is smart enough to filter out <script> content - so an attacker can't get it to echo malicious JavaScript. But, it was possible to inject SVG content. This is similar to a disclosure I made last year to Three.co.uk.

Here's a basic circle injected into the page:

John Lewis Website with a big circle drawn on it.

With a well enough crafted SVG, an attacker can perform a complete site takeover or other malicious activity. Because the content is sent in the GET request, an attacker can send malicious URl which looks like:

https://www.johnlewis.com/search?search-term=%22%3E%3Csvg%20xmlns...

Timeline

John Lewis doesn't have a security.txt available, and I couldn't find anything on their website about reporting security issues.

So I sent a Tweet. When that didn't get a response - presumably because it wasn't a complaint about a missing order - I asked my security buddies. They forwarded on a message. That's great for anyone well-connected, but not a long-term solution.

Eventually, Twitter customer service coughed up the security team's email, so I sent them a write up on the 9th of January. I got back a generic and slightly dispiriting response:

A few days later, it was fixed. That's a pretty good response time! I understand that John Lewis will be working on a responsible disclosure programme - but until then, reporting via Twitter seems to be the best way to go.

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

What links here from around this blog?

  1. Screenshot of the Macmillan website. The search box has some HTML in it - the page now looks like it says "Please enter your credit card details" with a big submit button. Responsible Disclosure: XSS in Macmillan's Website

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">