WebApp Sec mailing list archives

Script Tag Breakout

From: "Nick Von Dadelszen" <nvondad () gmail com>
Date: Wed, 22 Oct 2008 19:34:57 +1300

That makes sense from a parsing flow.  Problem is that not many coders
I've seen think about this, and I hadn't seen it documented anywhere
so worth a discussion at least.

On Wed, Oct 22, 2008 at 6:38 AM, Stefano Di Paola
<stefano.dipaola () mindedsecurity com> wrote:

The problem is that you have to think to the parsing flow.

1. Html parser: extracts tag then
2. Every script tag textContent is passed to the Js Parser then
3. Every style tag textContent is passed to the Css Parser then
4. Every <put your non Html Language Tag Here>  tag textContent is
passed to the <put your non Html Language Tag Here> Parser then ...

About the issue, yes it's known, and that's why web devs use patterns
like:

<script>
 a="<scr"+"ipt>blah<scr"+"ipt>"
</script>

When they need a script tag in a string constant.

Oh and just to enforce the thesis, the same happens when using inline
styles:

<style>
o{
 content: "</style>";

}
blah {content: url(aurl)}
</style>

The only way is to use the script src/link href loaders
that will treat the strings out of html context.

So no fix here, sorry :)

Cheers,
Stefano

Il giorno mar, 21/10/2008 alle 11.36 -0400, Auri Rahimzadeh ha scritto:

Yeah, but the hole is still there. True, it's bad programming practice. BUT:
There's no good reason for a modern browser to allow code execution from
within a string assignment. Yeah, I can see *why* it does it, but shouldn't
have this been mitigated long ago?

Best,

-Auri Rahimzadeh

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Taufiq Ali
Sent: Tuesday, October 21, 2008 1:41 AM
To: Nick Von Dadelszen
Cc: webappsec () securityfocus com
Subject: Re: Script Tag Breakout

Hey Nick,

This is is very much there & there lot of grease monkey (Firefox addon)
scripts that do the same. However if the website uses javascript for
getting rid of the meta characters then its poor design as this can very
much be bypasses using a application proxies like paros, webscrab, burp
suite etc. So once the script verifies the code they can be then
captured in above mentioned proxies & manipulated. What you just
mentioned will work with websites that use javascript to filter out
their meta characters.

Taufiq

-------- Original Message --------
Subject: Script Tag Breakout
From: Nick Von Dadelszen <nvondad () gmail com>
To: webappsec () securityfocus com
Date: 10/20/2008 7:04 AM

ey all,

Not sure if this is a known issue or not but thought I would share.
Its not a common situation to occur but I've used it a couple of times
in the last couple of years while testing apps.

-- Description --
Able to break out of a string variable without using quotes through
the use of a </script> tag.

For example, if the code of a page does the following:
<script>
somestring = "[your querystring here]";
</script>

You would normally break out of this with the following
querystring=";[code here]

If the code checks for a double or single quote and removes it, you
cannot normally break out of this code.  However, you are able to
close the current script tag, even from within a string variable.  So,
the following two breakouts work:
querystring=</script>[HTML here]
querystring=</script><script>[javascript here]</script>

The resulting code looks something like the following:
<html>
<body>
<h1>Script Tag Breakout PoC</h1>
<script>
string = "</script><h1>Parsed HTML Code Here</h1><!--";
</script>
</body>
</html>

Or:
<html>
<body>
<h1>Script Tag Breakout PoC</h1>
<script>
string = "</script><script>alert(document.location);</script>";
</script>
</body>
</html>

In the above HTML, the javascript alert function is called regardless
of it being contained within a string variable.

-- Tested Browsers --
All version of IE and Firefox up to and including IE 7 and firefox 3.

---------------------------------------------------------
Nick von Dadelszen
Lateral Security
www.lateralsecurity.com
---------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web

application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this Whitepaper
today!


https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this Whitepaper
today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What 
tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

--
Stefano Di Paola
Chief Technology Officer, Lead Auditor ISO 27001
Minded Security - Application Security Consulting

Cell: +39 3209495590
Email: stefano.dipaola [at] mindedsecurity.com

Minded Security S.r.l.
Via Duca D'Aosta, n.20 50129 Firenze (FI)
www.mindedsecurity.com

_________________________________________________________________________________________________

Pay attention, this email is confidential. If you are not authorized,
or if you have received this message by mistake,please not read,
use or spread any piece of the information above.

Current thread:

Script Tag Breakout Nick Von Dadelszen (Oct 19)
- RE: Script Tag Breakout PortSwigger (Oct 20)
- Classic ASP security course at OWASP summit Calderon, Juan Carlos (GE, Corporate, consultant) (Oct 20)
- Re: Script Tag Breakout Taufiq Ali (Oct 21)
  - RE: Script Tag Breakout Auri Rahimzadeh (Oct 21)
    - RE: Script Tag Breakout Stefano Di Paola (Oct 21)
    - Message not available
    - Message not available
    - Script Tag Breakout Nick Von Dadelszen (Oct 21)
    - FINAL NOTICE: OWASP Portugal EU Summit Dave Wichers (Oct 27)