webappsec@securityfocus.com
[Top] [All Lists]

Script Tag Breakout

Subject: Script Tag Breakout
From: "Nick Von Dadelszen"
Date: Wed, 22 Oct 2008 19:34:57 +1300
That makes sense from a parsing flow.  Problem is that not many coders
I've seen think about this, and I hadn't seen it documented anywhere
so worth a discussion at least.

On Wed, Oct 22, 2008 at 6:38 AM, Stefano Di Paola
<stefano.dipaola@xxxxxxxxxxxxxxxxxx> wrote:
> The problem is that you have to think to the parsing flow.
>
> 1. Html parser: extracts tag then
> 2. Every script tag textContent is passed to the Js Parser then
> 3. Every style tag textContent is passed to the Css Parser then
> 4. Every <put your non Html Language Tag Here>  tag textContent is
> passed to the <put your non Html Language Tag Here> Parser then ...
>
> About the issue, yes it's known, and that's why web devs use patterns
> like:
>
> <script>
>  a="<scr"+"ipt>blah<scr"+"ipt>"
> </script>
>
> When they need a script tag in a string constant.
>
> Oh and just to enforce the thesis, the same happens when using inline
> styles:
>
> <style>
> o{
>  content: "</style>";
>
> }
> blah {content: url(aurl)}
> </style>
>
> The only way is to use the script src/link href loaders
> that will treat the strings out of html context.
>
> So no fix here, sorry :)
>
> Cheers,
> Stefano
>
> Il giorno mar, 21/10/2008 alle 11.36 -0400, Auri Rahimzadeh ha scritto:
>> Yeah, but the hole is still there. True, it's bad programming practice. BUT:
>> There's no good reason for a modern browser to allow code execution from
>> within a string assignment. Yeah, I can see *why* it does it, but shouldn't
>> have this been mitigated long ago?
>>
>> Best,
>>
>> -Auri Rahimzadeh
>>
>> -----Original Message-----
>> From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
>> Behalf Of Taufiq Ali
>> Sent: Tuesday, October 21, 2008 1:41 AM
>> To: Nick Von Dadelszen
>> Cc: webappsec@xxxxxxxxxxxxxxxxx
>> Subject: Re: Script Tag Breakout
>>
>> Hey Nick,
>>
>> This is is very much there & there lot of grease monkey (Firefox addon)
>> scripts that do the same. However if the website uses javascript for
>> getting rid of the meta characters then its poor design as this can very
>> much be bypasses using a application proxies like paros, webscrab, burp
>> suite etc. So once the script verifies the code they can be then
>> captured in above mentioned proxies & manipulated. What you just
>> mentioned will work with websites that use javascript to filter out
>> their meta characters.
>>
>> Taufiq
>>
>> -------- Original Message --------
>> Subject: Script Tag Breakout
>> From: Nick Von Dadelszen <nvondad@xxxxxxxxx>
>> To: webappsec@xxxxxxxxxxxxxxxxx
>> Date: 10/20/2008 7:04 AM
>>
>> > ey all,
>> >
>> > Not sure if this is a known issue or not but thought I would share.
>> > Its not a common situation to occur but I've used it a couple of times
>> > in the last couple of years while testing apps.
>> >
>> > -- Description --
>> > Able to break out of a string variable without using quotes through
>> > the use of a </script> tag.
>> >
>> > For example, if the code of a page does the following:
>> > <script>
>> > somestring = "[your querystring here]";
>> > </script>
>> >
>> > You would normally break out of this with the following
>> > querystring=";[code here]
>> >
>> > If the code checks for a double or single quote and removes it, you
>> > cannot normally break out of this code.  However, you are able to
>> > close the current script tag, even from within a string variable.  So,
>> > the following two breakouts work:
>> > querystring=</script>[HTML here]
>> > querystring=</script><script>[javascript here]</script>
>> >
>> > The resulting code looks something like the following:
>> > <html>
>> > <body>
>> > <h1>Script Tag Breakout PoC</h1>
>> > <script>
>> > string = "</script><h1>Parsed HTML Code Here</h1><!--";
>> > </script>
>> > </body>
>> > </html>
>> >
>> > Or:
>> > <html>
>> > <body>
>> > <h1>Script Tag Breakout PoC</h1>
>> > <script>
>> > string = "</script><script>alert(document.location);</script>";
>> > </script>
>> > </body>
>> > </html>
>> >
>> > In the above HTML, the javascript alert function is called regardless
>> > of it being contained within a string variable.
>> >
>> > -- Tested Browsers --
>> > All version of IE and Firefox up to and including IE 7 and firefox 3.
>> >
>> > ---------------------------------------------------------
>> > Nick von Dadelszen
>> > Lateral Security
>> > www.lateralsecurity.com
>> > ---------------------------------------------------------
>> >
>> > -------------------------------------------------------------------------
>> > Sponsored by: Watchfire
>> > Methodologies & Tools for Web Application Security Assessment
>> > With the rapid rise in the number and types of security threats, web
>> application security assessments should be considered a crucial phase in the
>> development of any web application. What methodology should be followed?
>> What tools can accelerate the assessment process? Download this Whitepaper
>> today!
>> >
>> > https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
>> > -------------------------------------------------------------------------
>> >
>> >
>>
>>
>> -------------------------------------------------------------------------
>> Sponsored by: Watchfire
>> Methodologies & Tools for Web Application Security Assessment
>> With the rapid rise in the number and types of security threats, web
>> application security assessments should be considered a crucial phase in the
>> development of any web application. What methodology should be followed?
>> What tools can accelerate the assessment process? Download this Whitepaper
>> today!
>>
>> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
>> -------------------------------------------------------------------------
>>
>>
>>
>> -------------------------------------------------------------------------
>> Sponsored by: Watchfire
>> Methodologies & Tools for Web Application Security Assessment
>> With the rapid rise in the number and types of security threats, web 
>> application security assessments should be considered a crucial phase in the 
>> development of any web application. What methodology should be followed? 
>> What tools can accelerate the assessment process? Download this Whitepaper 
>> today!
>>
>> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
>> -------------------------------------------------------------------------
>>
>>
> --
> ïStefano Di Paola
> Chief Technology Officer, Lead Auditor ISO 27001
> Minded Security - Application Security Consulting
>
> Cell: +39 3209495590
> Email: stefano.dipaola [at] mindedsecurity.com
>
> Minded Security S.r.l.
> Via Duca D'Aosta, n.20 50129 Firenze (FI)
> www.mindedsecurity.com
>
> _________________________________________________________________________________________________
>
> Pay attention, this email is confidential. If you are not authorized,
> or if you have received this message by mistake,please not read,
> use or spread any piece of the information above.
>
>
>
<Prev in Thread] Current Thread [Next in Thread>