XSS with HTML parsing confusion #appsecapac2014

Transcript

1. XSS with HTML parsing confusion XSS with HTML parsing confusion

   ma.la 2014-03-20

2. Today's theme Today's theme XSS with HTML parsing issue Be

   related especially with a WYSIWYG editor.

3. The beginning The beginning I found and reported JavaScript execution

   on HTML mail. Sparrow, Mailbox, NAVER mail

4. Example: Mailbox's case Example: Mailbox's case Mailbox.app Javascript execution They

   restrict script by server-side. I've report another XSS vector. http://miki.it/blog/2013/9/24/mailboxapp-javascript- execution/

5. XSS with Commment node XSS with Commment node HTML Comment

   syntax: <!-- --> what is this? : <!--> <tag> -->

6. HTML spec HTML spec > after <!-- is invalid. <!-->

   is not "comment start", this is unknown tag.

7. on browser on browser <unknown><script>...</script>-->

8. on many html parser library on many html parser library

   <!-- // start comment > <script> … </script> --> // close comment

9. HTML "Comment node" is safe? HTML "Comment node" is safe?

   NO!

10. conditional comments for IE conditional comments for IE <!--[if IE]>

    HTML <![endif]-->

11. I found XSS on many CMS I found XSS on

    many CMS It is not known so much? WYSIWYG editor / TinyMCE Some CMS restrict HTML tag by server-side filter.

12. How to XSS How to XSS reflected XSS by query

    string http://cms.example.com/blog/editor?body= <tag> <!--><iframe src=javascript:alert(1)>-->

13. self-xss on WYSIWYG editor self-xss on WYSIWYG editor with social

    engineering Attacker: please copy and paste this to HTML editor <embed>...</embed> ..... <!--><iframe src=javascript:alert(1)>--> ...

14. TinyMCE TinyMCE TinyMCE can restrict tag and attribute by "valid_elements"

    option. This is client-side filter by JavaScript. if you permit a comment tag, ALL tags are permitted. I've report this problem to TinyMCE.

15. TinyMCE TinyMCE now fixed https://github.com/tinymce/tinymce/commit/22374b5d4aec47487 e99a63d5854e2e7de55719d496c752a2

16. None

17. Example Example XSS or self-XSS

18. WordPress WordPress XSS on editor page only in wordpress.com, not

    wordpress.org reported: 2013-9-30, and now fixed

19. Movable Type Movable Type XSS on editor page reported: 2013-9-30,

    fixed on MT6 and

20. Google Blogger Google Blogger Self XSS on editor page white

    list filter bypass via <!--> reported: 2013-10-2, now fixed, $500

21. Common pattern Common pattern preview function + raw HTML editor,

    embed code, etc self-XSS was possible in some case (server-side filter is useless for self DOM XSS)

22. How to fix #1 How to fix #1 simply, output

    valid html use whitelist, output wellformed valid html

23. How to fix #2 How to fix #2 use browser's

    parser you don't need to write new HTML parser. document.implementation.createHTMLDocument some_element.innerHTML = htmlstring ↑ execute <img src=x onerror=...> createHTMLDocument do only parsing, create dead DOM node.

24. Opera12 Opera12 Opera12's createHTMLDocument is buggy, don't use it. Opera12

    execute <img src=x onerror=...>

25. Conclusions Conclusions There is difference between actual browser and js/server-

    side HTML parser. invalid html causes the problem which is not predicted. use whitelist, output wellformed valid html.