Break a regex-based HTML parser

Re: Break a regex-based HTML parser

p0deje — Thu, 09 Sep 2010 12:57:34 -0500

- Opera, IE

Re: Break a regex-based HTML parser

sirdarckcat — Sun, 24 Jan 2010 19:36:12 -0600

Well, two problems..

One is that our old IE6 supports 0 to none of DOM Level 3, and the other is that the bug appears when the code is transformed from DOM to String, if the user instead of doing document.write(cleanDOM.innerHTML) does document.documentElement.appendChild(cleanDOM), this bug would not happen.

I hate Gecko bugs :(

Re: Break a regex-based HTML parser

Gareth Heyes — Sun, 24 Jan 2010 09:04:18 -0600

@sirdarckcat

How about using the document fragments to checked the parsed html:-

https://developer.mozilla.org/En/DOM/Document.createDocumentFragment

Re: Break a regex-based HTML parser

sirdarckcat — Sun, 24 Jan 2010 07:32:22 -0600

niice!

o=new Option;o.innerHTML='javascript�:alert(1);';h=o.textContent;a=document.createElement('a');a.setAttribute('href',h);o.appendChild(a);a.appendChild(document.createTextNode('a'));a=o.innerHTML;o.innerHTML=a;o.childNodes[1].href.match(/t:/);

it's a bug on gecko transforming DOM to String :)

It's not the first one, I added one more thing to the regex to clean attributes, as well as a pre-parsing for href attributes.

That should cover similar bugs.. I'm thinking on how to solve problems like this long term, sadly I cant just do innerHTML+=''; browsers suck =/.

Thanks!!! :)

Re: Break a regex-based HTML parser

Gareth Heyes — Sat, 23 Jan 2010 16:20:38 -0600

Cool nice ones

Re: Break a regex-based HTML parser

Anonymous User — Sat, 23 Jan 2010 14:36:56 -0600

Nice one doody! I think that's valid :) It can even be obfuscated some more

click me

Re: Break a regex-based HTML parser

doody — Sat, 23 Jan 2010 13:13:30 -0600

Hi, first post here =). Hope this is valid:

click me

Re: Break a regex-based HTML parser

sirdarckcat — Tue, 12 Jan 2010 08:42:03 -0600

https://twitter.com/theharmonyguy/status/7666627119

Re: Break a regex-based HTML parser

rvdh — Fri, 27 Nov 2009 12:10:30 -0600

I wish that old maluc was still with us, he always got some crazy shit going on with vectors, talkin' about 4 years ago on sla.ckers.

Re: Break a regex-based HTML parser

sirdarckcat — Thu, 26 Nov 2009 12:06:57 -0600

nice :) I hate IE hahaha

thanks!! :D now I have to break jsreg again.. hahaha

Re: Break a regex-based HTML parser

Gareth Heyes — Thu, 26 Nov 2009 04:51:55 -0600

So my friend you tempted me on twitter and if you wanted to social engineer me into testing your HTML parser it worked :)

IE only:-
-->

Re: Break a regex-based HTML parser

sirdarckcat — Tue, 21 Jul 2009 22:18:49 -0500

Now Im using JSReg:
http://eaea.sirdarckcat.net/testhtml.html

So well! Im working (still) on the CSS parser.

I was going to be the one applying the attributes to the elements, but I discovered that that's waaaaaaaaaay to slow, even with algorithmic-fu stuff haha, it's been the most algorithmic challenge I've had since the olympics of informatics/acm, but its impossible to optimize, after reviewing the webkit/mozilla implementations their solutions are the same or with a bigger complexity, but my code lives in JS so its slower :( (and they also are slow on the same rules I have problems like nth children and alike).

Now I'll just filter the CSS (in a jsreg-alike approach), since the HTML parser for example was reconstructing the DOM and making it from scratch.

Re: Break a regex-based HTML parser

sirdarckcat — Thu, 16 Jul 2009 02:12:12 -0500

I think document.write protects against this, but this is completely empiric knowledge.

I will dissallow Content-Type in http-equiv then :), just to be sure

Greetz!!

Re: Break a regex-based HTML parser

Anonymous User — Wed, 15 Jul 2009 10:54:47 -0500



+ADw-script+AD4-alert(1)+ADw-/script+AD4-

Doesn't trigger an alert - but should work in other setups. I think changing the charset should be prohibited. Thoughts?

Re: Break a regex-based HTML parser

sirdarckcat — Wed, 15 Jul 2009 07:23:42 -0500

Quote

hello, world.

+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAPAAvAHMAYwByAGkAcAB0AD4-

hm.. why should it work? haha I do document.write() that ignores content-type metas afaik (this is a bug I will address when events are working perfectly, and that will happend when I manage to finish the CSS parser).

Quote

@sdc: Yes :) I was trying to say good work in my own words. the background gets stripped on only the browsers where it would be executed - Opera and IE.

oh!! thanks then haha :D

Quote

very nice gareth!! any particular reason to choose that char? fuzzing? do you have fuzz results? haha

Greetz!!

Re: Break a regex-based HTML parser

Gareth Heyes — Wed, 15 Jul 2009 05:15:26 -0500

Opera only vector:-

Repro's randomly in Opera

Re: Break a regex-based HTML parser

Anonymous User — Wed, 15 Jul 2009 04:16:37 -0500

@sdc: Yes :) I was trying to say good work in my own words. the background gets stripped on only the browsers where it would be executed - Opera and IE.

Re: Break a regex-based HTML parser

Gareth Heyes — Wed, 15 Jul 2009 04:11:46 -0500

Sorry I should have tested it, I thought the HTML decoder was removing the entities but I couldn't see the nulls etc in the source anyway this should work (without a parent charset):-

hello, world.

+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAPAAvAHMAYwByAGkAcAB0AD4-

Re: Break a regex-based HTML parser

sirdarckcat — Tue, 14 Jul 2009 21:09:16 -0500

@gareth
Thanks! but I cant reproduce, on which browser?

My tests:
On Firefox 3:
The requested URL /ï¿½jï¿½aï¿½vï¿½ascriptï¿½:alert(1) was not found on this server.

On IE8 and IETab:

Re: Break a regex-based HTML parser

Anonymous User — Tue, 14 Jul 2009 17:34:22 -0500





Works in FF, Chrome but not in Opera - well played!

Re: Break a regex-based HTML parser

Gareth Heyes — Tue, 14 Jul 2009 14:25:12 -0500

Break a regex-based HTML parser

sirdarckcat — Mon, 13 Jul 2009 20:59:10 -0500

Fast question, can you break it?
URL: http://eaea.sirdarckcat.net/testhtml.html

The objective is simple:

Quote

Find a valid HTML code that will be parsed incorrectly by the parser, AND/OR code that executes (if I forgot to remove some vector).

I will be removing basic JS execution vectors, anyway the CSS parser is not ready yet so I'll disable CSS completely. Also namespaces wont be allowed (no xul nor svg) and ns tags () will also be disabled for the time being.

frames wont be allowed (as well as embed/object/video/audio/etc..) and I think that's all :).

If you can execute JS let me know please :).

On IE I try to honor conditional comments, anyway I wont support them completely, since they are unsafe by default.

If you find some way to get HTML code where it shouldnt in weird scenarios you win!

I have to warn you that code like this:

hello

Since every time I find " in an attribute's name, I will delete all arguments in the tag for security reasons.

So this other code (it's important to note there's no closing " quote):

hello

Some may argue that's a vulnerability, but there's no safer way of treating unclosed quotes in attributes.

Other thing: I am only allowing ' and " as quotes (so, ` wont work).

So well, examples of bypasses I've found (and are now fixed):