return of the xss jedi

Download Return of the XSS Jedi

Post on 01-Dec-2014




7 download

Embed Size (px)


A Review and XSS and Introduction to DOM based XSS


5 XSS CONTEXTS (HTML PARSER)HTML URL CSS HTML Attribute JavaScript (Event Handler Attributes and in between tags)

DOM BASED XSS (JAVASCRIPT PARSER)JavaScript can access/modify any of the HTML elements and attributes of elements displayed on the page in all of the contexts described on the previous slide. DOM based XSS also includes other JS functions which execute arbitrary code which can be problematic.

HTML CONTEXTA HTML context is output which is usually rendered in between HTML markup tags ( tags in this example). Another way of understanding the HTML context is the displayed text (content) in the page. Name:${} Adress: City: State:

Use a level of indirection to mitigate.

HTML ATTRIBUTE CONTEXTThe HTML tag attribute context consists of user data output in any HTML tag attributes. However there is some discerning that needs to take place here because HTML tag attributes can be in different contexts. For example the STYLE attribute of an HTML tag defining a CSS context, URL based attributes (src, background, and href) defining URL based contexts, JavaScript event handlers attributes of HTML tags (onLoad,onClick, on*) defining JavaScript contexts, and the remaining attributes which do not fall in this category (name, value, type, etc.) constituting general HTML attributes.

The following are considered HTML contexts:

If the tags do not use quotes to delimit attributes then space and other non-alphanumeric characters can be used to delimit attributes in the tag.

The attacker can pass in Input onclick=attackCode() to produce:

Use HTML Attribute Encoding to mitigate


The JavaScript (JS) context occurs where text is parsed by the JavaScript parser and executed. The JS context occurs in JS event handler attributes and in between tags. JavaScript event handler attributes are HTML tag attributes which handle certain user events including clicks, mouse movement, focus, blur, etc. The attributes are easily identified because they start with on. Remember that text within JS event handlers is raw JS code. The main problem with JavaScript event handler attributes is they are HTMLunescaped (at execution time) before they are passed to the JS interpreter. So if you use HTML output entity encoding to mitigate input data you will be disappointed because malicious_code() will still execute. Some Text


1. If the string literal will eventually end up in HTML you will need to HTML encode the string. 2. Ensure that the string literal or the string from step 1 above is JavaScript-escaped using a function which properly escapes dangerous JavaScript characters (example: when escaping a double quote the output value should be \x22 instead of \. The HTML parser will run before the JavaScript parser allowing the \ to close out the attribute and add other attributes with malicious code inside them.) 3. Make certain that the string literal is enclosed in single quotes 4. Make sure that the surrounding attribute value is enclosed in double quotesMitigated example (assuming user input will end up in an HTML component):

These steps are for older browsers:

JS CONTEXT (IN BETWEEN TAGS) AKA DOM BASED XSSBecause JavaScript can access/modify any of the previous contexts that we discussed, the 5 contexts will exist as sub-contexts within the JavaScript context. However there are also methods/functions which are inherently dangerous because they will execute any string passed to it as code. HTML 5 has introduced additional points of interest


This context in JavaScript code highlights functions which output text to the browser as HTML.element.innerHTML = Tags and markup; element.outerHTML = Tags and markup; document.write( Tags and markup); document.writeln( Tags and markup);element.innerHTML = ; element.outerHTML = ; document.write(); document.writeln();

Since the output is going to HTML you need to HTML encode. Because you are in a JS execution context you need to JS encode to avoid escaping out of the JS quotes.


Remember that any attribute which takes a url falls into this category (background-image, src, location, etc.).var x = document.createElement(a); x.setAttribute(href, ); var y = document.createTextElement(Click Me To Test); x.appendChild(y); document.body.appendChild(x); var x = document.createElement(a); x.href = ; var y = document.createTextElement(Click Me To Test); x.appendChild(y); document.body.appendChild(x); Because the parser which is parsing the code is the JS parser (vs the HTML parser), the reverse encoding rules are different. The colon rule (url encoding the colon)still holds true however, HTML encoding does not get reverse encoded. In addition, JS encoding does not stop a javascript: based attack. JS encoding only is used to prevent the attacker from injecting up (escaping out of the quotes).

DOM XSS IN URL SUB-CONTEXT (TESTS)//HTML encoding everything including ": does not work This would have worked in an HTML rendering context var s = "javascript:alert( 31;23)" //URL encoding everything does not work (colon rule) var s = "%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%31%32%33%29"; //This works where "javascript:" is not encoded. var s = "javascript:%61%6C%65%72%74%28%31%32%33%29%0A"; //This does not work but would have worked in an HTML rendering context var s = "javascript:alert(123)" //This works var s = "javascript:\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0029"; //JavaScript encoding everything works as well var s = "\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0 028\u0031\u0032\u0033\u0029" var link = document.createElement("a"); //link.setAttribute("href", s); link.href = s; var text = document.createTextNode("Click Me") link.appendChild(text); document.body.appendChild(link);


Remember that any attribute which sets a CSS attribute will fall into this category. Most of the expression functionality has been deactivated after IE6.document.body.runtimeStyle.cssText = '1:expression(alert(123))

Most exploits are related to setting URL attributes on style objects //DNW = "javascript:alert(999)"; //WORKED IE6 = "url(javascript:alert(999))"; //WORKED IE6 = "url(vbscript:Alert(99))"; //WORKED IE6 document.body.background = "javascript:alert(999)" //WORKED IE6 document.body.background = "vbscript:Alert(99)"; //WORKED IE6 var e = document.createElement("table"); //WORKED IE6 e.setAttribute("background", "javascript:alert('Background')"); //WORKED IE6 var e = document.createElement("table"); //WORKED IE6 e.setAttribute("background", "vbscript:Alert(3333)"); //var e = document.createElement("div"); //The below 4 do not work in IE6 //e.setAttribute("style", "backgroundImage:url(javascript:alert('dynamic DIV'))"); //e.setAttribute("style", "background-image:url(javascript:alert('dynamic DIV'))"); //e.setAttribute("style", "backgroundimage:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\007 2\0074\0028.1027\0058.1053\0053\0027\0029'\0029"); // = "backgroundImage: url(javascript:alert('999'))";//Both of the below do NOT work // = "expression(alert(1111))"; //e.setAttribute("style", "width:expression(alert(89898))"); //var e = document.createElement("xss"); //DNW e.setAttribute("style", "xss:expression(alert('XSS'))"); //DNW = "expression(alert('XSS'))"; //DNW = "expression(alert(1111))";


Because the HTML attribute contexts inherently includes attributes which are not defined in URL, CSS, and event handler contexts their exploitability is limited. The one major exception is when setting the text node or attribute of a inherently dangerous tag (, , etc.).

/*Works in FF3.6 but not in IE8 */ var s = document.createElement("script"); var t = document.createTextNode("alert('textNode')"); s.appendChild(t); document.body.appendChild(s);

document.scripts[1].text = "alert('scripts[1]')";

DOM XSS IN HTML ATTRIBUTE SUB-CONTEXT (TESTS)//HTML Attribute Context //Input is "javascript:alert(123)" //HTML encoding everything including ": does not work" //var s = "javascript:alert( 31;23)" //URL encoding everything does not work //var s = "%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%31%32%33%29"; //This does not work where "javascript:" is not encoded. //var s = "javascript:%61%6C%65%72%74%28%31%32%33%29%0A"; //This does not work //var s = "javascript:alert(123)" //This does not work //var s = "javascript:\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0029"; //JavaScript encoding everything does not work as well //Does not work //var s = "\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0 028\u0031\u0032\u0033\u0029" //Injecting does not work //var s = "alert(123)//"; /* var inp = document.createElement("input"); inp.setAttribute("value", s); var form1 = document.forms[0]; form1.appendChild(inp);


Remember that any attribute which is an event handler method falls into this category (onload, onclick, etc.). You will typically see it in one or more of the following ways.// alert(123) is JavaScript encoded in red below var s = "\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0029 var inp = document.createElement("input"); inp.setAttribute("onclick", s); // element.setAttribute() will co