Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS bypassing htmlspecialchars()
Posted by: Jcrusader
Date: August 20, 2006 11:52PM

aside from the poor rendering of special html characters in IE, what other XSS vulnerabilities should I look for when preventing XSS that can easily bypass htmlspecialchars() function in PHP?

And how can I detect, and prevent them?

Thanks in advance

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: WhiteAcid
Date: August 21, 2006 03:57AM

If they are echoing into straight onto the page, as in:
<span>$user_input</span>
Then that function should be enough. If they are echoing into an elements attribute as in:
<span align="$user_input">foo</span>
Then use the ENT_QUOTES static within the function quote_style parameter and it should be safe. Other possiblities are that they echo into the style attribute, in which case that function won't help much, but simply removing all semi-colons should help. The only final thing I can think of is that they'd echo into JS code, which is just silly and I'm sure you'd never do that (but I have seen it done and be exploitable).

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: trix
Date: August 21, 2006 08:13AM

Hey WhiteAcid how effective is that from preventing variable width encoding in UTF-8. You might want to leave your customers with an option to make "special" characters which seems to circumvent getting out of the <span align="$user_input">foo</span>

trix

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: WhiteAcid
Date: August 21, 2006 08:57AM

I'm not quite sure how this works with variable width encoding to be honest. I admit I didn't quite understand the article I read about it at securiteam.

If you are passing data into an elements attribute you should really either use switch case or very strict regular expressions. Back to the align attribute, only accept left, middle or right. For colours only accept /^#[0-9a-f]{3,6}$/ as well as other set strings (red, blue, green etc).

Back to variable width encoding. If someone could make a vuln php script showing what to inject to cause XSS that would help me, and others.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: rsnake
Date: August 21, 2006 10:00AM

WhiteAcid... just go to the demonstration page to see for yourself what we're talking about. http://ha.ckers.org/weird/variable-length.cgi Only the chars that combine with a quote turn that quote into another character. My explination of it is here: http://ha.ckers.org/blog/20060817/variable-width-encoding/

I agree, I had to read it a half dozen times before I finally got it working (their demo code didn't work so I had to write my own to test).

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: WhiteAcid
Date: August 21, 2006 11:04AM

Thanks for those links, I'll have to read it several times over later on too.

trix, to get back on topic, one solution is to not use a vulnerable charset, use the following table as refernce:


I use:
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
I don't know why I've always used that, just have. Of course this isn't a feasible solution if you're aiming at a non-english audience.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: rsnake
Date: August 21, 2006 11:13AM

WhiteAcid, I know for a fact that that table is incorrect (and incomplete). If you limit yourself to low order ASCII (anywhere sub 180 in decimal looks okay) you should be fine though. Higher? Not so much. Here are two examples:

In GB2312 char 65299 (decimal) works (and lots of others).
In UTF-8 char 254 (decimal) does not work (actually it looks like most if not all don't work for 254).

Also, it should be noted that double quotes are not the only valid HTML parameter delimiter. You also must remember single quotes (yes they are vulnerable, I've already started testing) and grave accents in Internet Explorer (have not yet tested).

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 08/21/2006 11:42AM by rsnake.

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: WhiteAcid
Date: August 21, 2006 11:25AM

I copied the image from the securiteam article, so I'll just shift the blame to Cheng Peng Su who wrote that article :p

I still feel that sufficiently strict regex's should do the trick.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: rsnake
Date: August 21, 2006 11:45AM

Sure, or as someone suggested on the blog post, you can just make sure that the you properlly sanitize the input that is outside of the parameter as well for an additional layer of security.

It's probably some measure of both actually. The regex like you mention to make sure you don't jump out of encapsulation and the char conversion for the encapsulation to make sure that even if you do, the content you output it harmless - or more likely to be anyway. At this point, I think we've started to get the point where this is as complex as the anti-virus community. There are enough variants that this is becoming super difficult to track, so I'm not going to say you'll be 100% safe - there's just too much out there.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: trix
Date: August 21, 2006 11:54AM

there are definitely ways to bypass this, and you cant make anything 100% considering IE's extremely lax utf-8 parsing rules. Also you have to allow your users with the possibility of using different languages sometimes on social networking websites, so it does open up the possibility of attack.

trix

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: rsnake
Date: August 21, 2006 12:00PM

Okay, so the real question in my mind, is how do we extract the HTML parser from Internet Explorer. This is probably best left for Internet Explorer 7.0 rather than 6.0. Understanding how the parser works is critical to uncovering a lot of these holes, and honestly, it's how I found a good chunk of what I found in Firefox too. Dinis Cruz said he could write hooks into .Net to fuzz, but I'm really thinking about how the actual rendering engine actually works.

I think fuzzing uncovers a certain percentage of things, but without knowing what to look for it's pretty difficult to uncover all of them.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: trix
Date: August 21, 2006 01:59PM

Yea RSnake, that is precisely the point I am trying to make. Just curious how did you figure out how Firefox's HTML parser worked?

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: rsnake
Date: August 21, 2006 03:04PM

Heh, the old fashioned way. I read the source code: http://developer.mozilla.org/en/docs/Download_Mozilla_Source_Code

Ugly, I know, but it gave me huge insights into what we're dealing with.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: rsnake
Date: August 25, 2006 12:49PM

I've been chatting with Cheng Peng Su about the variable width encoding stuff, and I'll probably help him re-write his paper. In the mean time he made a correction to my code and now I actually can get GB2312 to render ASCII char FE. I also added a lot of other encoding methods so you can see what we're working on as well:

http://ha.ckers.org/weird/variable-width-encoding.cgi

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: shiflett
Date: August 27, 2006 01:46PM

Regarding the original question, you want to make sure that you're using the right character encoding. If you use htmlentities() or htmlspecialchars() without indicating the character encoding, they're going to use ISO-8859-1. If the browser thinks the content's character encoding is something else, XSS is still possible, as this example demonstrates:

http://shiflett.org/archive/178



Edited 1 time(s). Last edit at 08/27/2006 03:21PM by shiflett.

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Date: August 31, 2006 07:06PM

htmlspecialchars() just by itself isn't enough. There are two other things you must do:

1. Ensure that the input is well-formed in whatever character encoding it is. A good way to fix this is to do iconv($encoding, $encoding . '//IGNORE', $str);
2. Remove non-SGML codepoints from the output: these are code points 0-31 and 127-159.

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: rsnake
Date: August 31, 2006 10:27PM

You probably want all the way to 255 given the US-ASCII variable-width encoding stuff, but I think this is not far off.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Date: September 01, 2006 10:43AM

Code points not bytes.

That means for 158, I wouldn't be strtr'ing "\x9E", I'd be doing it to "\xC2\x9E" (the UTF-8 encoding of that code point), because \x9E could show up in a legit multibyte character encoding.

Of course, this means that you can't do this checking until you're sure you've got a well-formed UTF-8 string.

Options: ReplyQuote
Re: XSS bypassing htmlspecialchars()
Posted by: rsnake
Date: September 01, 2006 12:16PM

Ahhh, sorry, I mis-understood. So translate it to the proper encoding first, and then deal with it at that point. I'm still not big on the idea of removing or translating anything as a general concept - it just feels very unsafe. But It seems to have worked for you here: http://sla.ckers.org/forum/read.php?13,371

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.