Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSS with HTML parsing confusion #appsecapac2014
Search
OWASP Japan
March 20, 2014
4
1.2k
XSS with HTML parsing confusion #appsecapac2014
OWASP Japan
March 20, 2014
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
310
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
930
20190107_AbuseCaseCheatSheet
owaspjapan
0
150
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
880
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.1k
Shifting Left Like a Boss
owaspjapan
2
270
OWASP Top 10 and Your Web Apps
owaspjapan
2
360
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
220
elegance_of_OWASP_Top10_2017
owaspjapan
2
500
Featured
See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
54
9k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
810
How to Think Like a Performance Engineer
csswizardry
20
1.1k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Six Lessons from altMBA
skipperchong
26
3.5k
[RailsConf 2023] Rails as a piece of cake
palkan
51
4.9k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Happy Clients
brianwarren
97
6.7k
Gamification - CAS2011
davidbonilla
80
5k
Transcript
XSS with HTML parsing confusion XSS with HTML parsing confusion
ma.la 2014-03-20
Today's theme Today's theme XSS with HTML parsing issue Be
related especially with a WYSIWYG editor.
The beginning The beginning I found and reported JavaScript execution
on HTML mail. Sparrow, Mailbox, NAVER mail
Example: Mailbox's case Example: Mailbox's case Mailbox.app Javascript execution They
restrict script by server-side. I've report another XSS vector. http://miki.it/blog/2013/9/24/mailboxapp-javascript- execution/
XSS with Commment node XSS with Commment node HTML Comment
syntax: <!-- --> what is this? : <!--> <tag> -->
HTML spec HTML spec > after <!-- is invalid. <!-->
is not "comment start", this is unknown tag.
on browser on browser <unknown><script>...</script>-->
on many html parser library on many html parser library
<!-- // start comment > <script> … </script> --> // close comment
HTML "Comment node" is safe? HTML "Comment node" is safe?
NO!
conditional comments for IE conditional comments for IE <!--[if IE]>
HTML <![endif]-->
I found XSS on many CMS I found XSS on
many CMS It is not known so much? WYSIWYG editor / TinyMCE Some CMS restrict HTML tag by server-side filter.
How to XSS How to XSS reflected XSS by query
string http://cms.example.com/blog/editor?body= <tag> <!--><iframe src=javascript:alert(1)>-->
self-xss on WYSIWYG editor self-xss on WYSIWYG editor with social
engineering Attacker: please copy and paste this to HTML editor <embed>...</embed> ..... <!--><iframe src=javascript:alert(1)>--> ...
TinyMCE TinyMCE TinyMCE can restrict tag and attribute by "valid_elements"
option. This is client-side filter by JavaScript. if you permit a comment tag, ALL tags are permitted. I've report this problem to TinyMCE.
TinyMCE TinyMCE now fixed https://github.com/tinymce/tinymce/commit/22374b5d4aec47487 e99a63d5854e2e7de55719d496c752a2
None
Example Example XSS or self-XSS
WordPress WordPress XSS on editor page only in wordpress.com, not
wordpress.org reported: 2013-9-30, and now fixed
Movable Type Movable Type XSS on editor page reported: 2013-9-30,
fixed on MT6 and
Google Blogger Google Blogger Self XSS on editor page white
list filter bypass via <!--> reported: 2013-10-2, now fixed, $500
Common pattern Common pattern preview function + raw HTML editor,
embed code, etc self-XSS was possible in some case (server-side filter is useless for self DOM XSS)
How to fix #1 How to fix #1 simply, output
valid html use whitelist, output wellformed valid html
How to fix #2 How to fix #2 use browser's
parser you don't need to write new HTML parser. document.implementation.createHTMLDocument some_element.innerHTML = htmlstring ↑ execute <img src=x onerror=...> createHTMLDocument do only parsing, create dead DOM node.
Opera12 Opera12 Opera12's createHTMLDocument is buggy, don't use it. Opera12
execute <img src=x onerror=...>
Conclusions Conclusions There is difference between actual browser and js/server-
side HTML parser. invalid html causes the problem which is not predicted. use whitelist, output wellformed valid html.