WebApp Sec mailing list archives
Script Tag Breakout
From: "Nick Von Dadelszen" <nvondad () gmail com>
Date: Wed, 22 Oct 2008 19:34:57 +1300
That makes sense from a parsing flow. Problem is that not many coders I've seen think about this, and I hadn't seen it documented anywhere so worth a discussion at least. On Wed, Oct 22, 2008 at 6:38 AM, Stefano Di Paola <stefano.dipaola () mindedsecurity com> wrote:
The problem is that you have to think to the parsing flow. 1. Html parser: extracts tag then 2. Every script tag textContent is passed to the Js Parser then 3. Every style tag textContent is passed to the Css Parser then 4. Every <put your non Html Language Tag Here> tag textContent is passed to the <put your non Html Language Tag Here> Parser then ... About the issue, yes it's known, and that's why web devs use patterns like: <script> a="<scr"+"ipt>blah<scr"+"ipt>" </script> When they need a script tag in a string constant. Oh and just to enforce the thesis, the same happens when using inline styles: <style> o{ content: "</style>"; } blah {content: url(aurl)} </style> The only way is to use the script src/link href loaders that will treat the strings out of html context. So no fix here, sorry :) Cheers, Stefano Il giorno mar, 21/10/2008 alle 11.36 -0400, Auri Rahimzadeh ha scritto:Yeah, but the hole is still there. True, it's bad programming practice. BUT: There's no good reason for a modern browser to allow code execution from within a string assignment. Yeah, I can see *why* it does it, but shouldn't have this been mitigated long ago? Best, -Auri Rahimzadeh -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Taufiq Ali Sent: Tuesday, October 21, 2008 1:41 AM To: Nick Von Dadelszen Cc: webappsec () securityfocus com Subject: Re: Script Tag Breakout Hey Nick, This is is very much there & there lot of grease monkey (Firefox addon) scripts that do the same. However if the website uses javascript for getting rid of the meta characters then its poor design as this can very much be bypasses using a application proxies like paros, webscrab, burp suite etc. So once the script verifies the code they can be then captured in above mentioned proxies & manipulated. What you just mentioned will work with websites that use javascript to filter out their meta characters. Taufiq -------- Original Message -------- Subject: Script Tag Breakout From: Nick Von Dadelszen <nvondad () gmail com> To: webappsec () securityfocus com Date: 10/20/2008 7:04 AMey all, Not sure if this is a known issue or not but thought I would share. Its not a common situation to occur but I've used it a couple of times in the last couple of years while testing apps. -- Description -- Able to break out of a string variable without using quotes through the use of a </script> tag. For example, if the code of a page does the following: <script> somestring = "[your querystring here]"; </script> You would normally break out of this with the following querystring=";[code here] If the code checks for a double or single quote and removes it, you cannot normally break out of this code. However, you are able to close the current script tag, even from within a string variable. So, the following two breakouts work: querystring=</script>[HTML here] querystring=</script><script>[javascript here]</script> The resulting code looks something like the following: <html> <body> <h1>Script Tag Breakout PoC</h1> <script> string = "</script><h1>Parsed HTML Code Here</h1><!--"; </script> </body> </html> Or: <html> <body> <h1>Script Tag Breakout PoC</h1> <script> string = "</script><script>alert(document.location);</script>"; </script> </body> </html> In the above HTML, the javascript alert function is called regardless of it being contained within a string variable. -- Tested Browsers -- All version of IE and Firefox up to and including IE 7 and firefox 3. --------------------------------------------------------- Nick von Dadelszen Lateral Security www.lateralsecurity.com --------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, webapplication security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F --------------------------------------------------------------------------- Stefano Di Paola Chief Technology Officer, Lead Auditor ISO 27001 Minded Security - Application Security Consulting Cell: +39 3209495590 Email: stefano.dipaola [at] mindedsecurity.com Minded Security S.r.l. Via Duca D'Aosta, n.20 50129 Firenze (FI) www.mindedsecurity.com _________________________________________________________________________________________________ Pay attention, this email is confidential. If you are not authorized, or if you have received this message by mistake,please not read, use or spread any piece of the information above.
Current thread:
- Script Tag Breakout Nick Von Dadelszen (Oct 19)
- RE: Script Tag Breakout PortSwigger (Oct 20)
- Classic ASP security course at OWASP summit Calderon, Juan Carlos (GE, Corporate, consultant) (Oct 20)
- Re: Script Tag Breakout Taufiq Ali (Oct 21)
- RE: Script Tag Breakout Auri Rahimzadeh (Oct 21)
- RE: Script Tag Breakout Stefano Di Paola (Oct 21)
- Message not available
- Message not available
- Script Tag Breakout Nick Von Dadelszen (Oct 21)
- FINAL NOTICE: OWASP Portugal EU Summit Dave Wichers (Oct 27)
- RE: Script Tag Breakout Auri Rahimzadeh (Oct 21)