Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSS with HTML parsing confusion #appsecapac2014

D2c0774c30304e4970b502118aa791fe?s=47 OWASP Japan
March 20, 2014

XSS with HTML parsing confusion #appsecapac2014



March 20, 2014


  1. XSS with HTML parsing confusion XSS with HTML parsing confusion

    ma.la 2014-03-20
  2. Today's theme Today's theme XSS with HTML parsing issue Be

    related especially with a WYSIWYG editor.
  3. The beginning The beginning I found and reported JavaScript execution

    on HTML mail. Sparrow, Mailbox, NAVER mail
  4. Example: Mailbox's case Example: Mailbox's case Mailbox.app Javascript execution They

    restrict script by server-side. I've report another XSS vector. http://miki.it/blog/2013/9/24/mailboxapp-javascript- execution/
  5. XSS with Commment node XSS with Commment node HTML Comment

    syntax: <!-- --> what is this? : <!--> <tag> -->
  6. HTML spec HTML spec > after <!-- is invalid. <!-->

    is not "comment start", this is unknown tag.
  7. on browser on browser <unknown><script>...</script>-->

  8. on many html parser library on many html parser library

    <!-- // start comment > <script> … </script> --> // close comment
  9. HTML "Comment node" is safe? HTML "Comment node" is safe?

  10. conditional comments for IE conditional comments for IE <!--[if IE]>

    HTML <![endif]-->
  11. I found XSS on many CMS I found XSS on

    many CMS It is not known so much? WYSIWYG editor / TinyMCE Some CMS restrict HTML tag by server-side filter.
  12. How to XSS How to XSS reflected XSS by query

    string http://cms.example.com/blog/editor?body= <tag> <!--><iframe src=javascript:alert(1)>-->
  13. self-xss on WYSIWYG editor self-xss on WYSIWYG editor with social

    engineering Attacker: please copy and paste this to HTML editor <embed>...</embed> ..... <!--><iframe src=javascript:alert(1)>--> ...
  14. TinyMCE TinyMCE TinyMCE can restrict tag and attribute by "valid_elements"

    option. This is client-side filter by JavaScript. if you permit a comment tag, ALL tags are permitted. I've report this problem to TinyMCE.
  15. TinyMCE TinyMCE now fixed https://github.com/tinymce/tinymce/commit/22374b5d4aec47487 e99a63d5854e2e7de55719d496c752a2

  16. None
  17. Example Example XSS or self-XSS

  18. WordPress WordPress XSS on editor page only in wordpress.com, not

    wordpress.org reported: 2013-9-30, and now fixed
  19. Movable Type Movable Type XSS on editor page reported: 2013-9-30,

    fixed on MT6 and
  20. Google Blogger Google Blogger Self XSS on editor page white

    list filter bypass via <!--> reported: 2013-10-2, now fixed, $500
  21. Common pattern Common pattern preview function + raw HTML editor,

    embed code, etc self-XSS was possible in some case (server-side filter is useless for self DOM XSS)
  22. How to fix #1 How to fix #1 simply, output

    valid html use whitelist, output wellformed valid html
  23. How to fix #2 How to fix #2 use browser's

    parser you don't need to write new HTML parser. document.implementation.createHTMLDocument some_element.innerHTML = htmlstring ↑ execute <img src=x onerror=...> createHTMLDocument do only parsing, create dead DOM node.
  24. Opera12 Opera12 Opera12's createHTMLDocument is buggy, don't use it. Opera12

    execute <img src=x onerror=...>
  25. Conclusions Conclusions There is difference between actual browser and js/server-

    side HTML parser. invalid html causes the problem which is not predicted. use whitelist, output wellformed valid html.