Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSS with HTML parsing confusion #appsecapac2014

March 20, 2014

XSS with HTML parsing confusion #appsecapac2014


March 20, 2014


  1. Today's theme Today's theme XSS with HTML parsing issue Be

    related especially with a WYSIWYG editor.
  2. Example: Mailbox's case Example: Mailbox's case Mailbox.app Javascript execution They

    restrict script by server-side. I've report another XSS vector. http://miki.it/blog/2013/9/24/mailboxapp-javascript- execution/
  3. XSS with Commment node XSS with Commment node HTML Comment

    syntax: <!-- --> what is this? : <!--> <tag> -->
  4. HTML spec HTML spec > after <!-- is invalid. <!-->

    is not "comment start", this is unknown tag.
  5. on many html parser library on many html parser library

    <!-- // start comment > <script> … </script> --> // close comment
  6. I found XSS on many CMS I found XSS on

    many CMS It is not known so much? WYSIWYG editor / TinyMCE Some CMS restrict HTML tag by server-side filter.
  7. How to XSS How to XSS reflected XSS by query

    string http://cms.example.com/blog/editor?body= <tag> <!--><iframe src=javascript:alert(1)>-->
  8. self-xss on WYSIWYG editor self-xss on WYSIWYG editor with social

    engineering Attacker: please copy and paste this to HTML editor <embed>...</embed> ..... <!--><iframe src=javascript:alert(1)>--> ...
  9. TinyMCE TinyMCE TinyMCE can restrict tag and attribute by "valid_elements"

    option. This is client-side filter by JavaScript. if you permit a comment tag, ALL tags are permitted. I've report this problem to TinyMCE.
  10. WordPress WordPress XSS on editor page only in wordpress.com, not

    wordpress.org reported: 2013-9-30, and now fixed
  11. Google Blogger Google Blogger Self XSS on editor page white

    list filter bypass via <!--> reported: 2013-10-2, now fixed, $500
  12. Common pattern Common pattern preview function + raw HTML editor,

    embed code, etc self-XSS was possible in some case (server-side filter is useless for self DOM XSS)
  13. How to fix #1 How to fix #1 simply, output

    valid html use whitelist, output wellformed valid html
  14. How to fix #2 How to fix #2 use browser's

    parser you don't need to write new HTML parser. document.implementation.createHTMLDocument some_element.innerHTML = htmlstring ↑ execute <img src=x onerror=...> createHTMLDocument do only parsing, create dead DOM node.
  15. Conclusions Conclusions There is difference between actual browser and js/server-

    side HTML parser. invalid html causes the problem which is not predicted. use whitelist, output wellformed valid html.