Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSS with HTML parsing confusion #appsecapac2014
Search
OWASP Japan
March 20, 2014
4
1.2k
XSS with HTML parsing confusion #appsecapac2014
OWASP Japan
March 20, 2014
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
340
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
180
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.3k
Shifting Left Like a Boss
owaspjapan
2
290
OWASP Top 10 and Your Web Apps
owaspjapan
2
380
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
240
elegance_of_OWASP_Top10_2017
owaspjapan
2
530
Featured
See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
GitHub's CSS Performance
jonrohan
1031
460k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
What's in a price? How to price your products and services
michaelherold
246
12k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
990
Rails Girls Zürich Keynote
gr2m
95
14k
The Straight Up "How To Draw Better" Workshop
denniskardys
235
140k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Automating Front-end Workflow
addyosmani
1370
200k
KATA
mclloyd
30
14k
Transcript
XSS with HTML parsing confusion XSS with HTML parsing confusion
ma.la 2014-03-20
Today's theme Today's theme XSS with HTML parsing issue Be
related especially with a WYSIWYG editor.
The beginning The beginning I found and reported JavaScript execution
on HTML mail. Sparrow, Mailbox, NAVER mail
Example: Mailbox's case Example: Mailbox's case Mailbox.app Javascript execution They
restrict script by server-side. I've report another XSS vector. http://miki.it/blog/2013/9/24/mailboxapp-javascript- execution/
XSS with Commment node XSS with Commment node HTML Comment
syntax: <!-- --> what is this? : <!--> <tag> -->
HTML spec HTML spec > after <!-- is invalid. <!-->
is not "comment start", this is unknown tag.
on browser on browser <unknown><script>...</script>-->
on many html parser library on many html parser library
<!-- // start comment > <script> … </script> --> // close comment
HTML "Comment node" is safe? HTML "Comment node" is safe?
NO!
conditional comments for IE conditional comments for IE <!--[if IE]>
HTML <![endif]-->
I found XSS on many CMS I found XSS on
many CMS It is not known so much? WYSIWYG editor / TinyMCE Some CMS restrict HTML tag by server-side filter.
How to XSS How to XSS reflected XSS by query
string http://cms.example.com/blog/editor?body= <tag> <!--><iframe src=javascript:alert(1)>-->
self-xss on WYSIWYG editor self-xss on WYSIWYG editor with social
engineering Attacker: please copy and paste this to HTML editor <embed>...</embed> ..... <!--><iframe src=javascript:alert(1)>--> ...
TinyMCE TinyMCE TinyMCE can restrict tag and attribute by "valid_elements"
option. This is client-side filter by JavaScript. if you permit a comment tag, ALL tags are permitted. I've report this problem to TinyMCE.
TinyMCE TinyMCE now fixed https://github.com/tinymce/tinymce/commit/22374b5d4aec47487 e99a63d5854e2e7de55719d496c752a2
None
Example Example XSS or self-XSS
WordPress WordPress XSS on editor page only in wordpress.com, not
wordpress.org reported: 2013-9-30, and now fixed
Movable Type Movable Type XSS on editor page reported: 2013-9-30,
fixed on MT6 and
Google Blogger Google Blogger Self XSS on editor page white
list filter bypass via <!--> reported: 2013-10-2, now fixed, $500
Common pattern Common pattern preview function + raw HTML editor,
embed code, etc self-XSS was possible in some case (server-side filter is useless for self DOM XSS)
How to fix #1 How to fix #1 simply, output
valid html use whitelist, output wellformed valid html
How to fix #2 How to fix #2 use browser's
parser you don't need to write new HTML parser. document.implementation.createHTMLDocument some_element.innerHTML = htmlstring ↑ execute <img src=x onerror=...> createHTMLDocument do only parsing, create dead DOM node.
Opera12 Opera12 Opera12's createHTMLDocument is buggy, don't use it. Opera12
execute <img src=x onerror=...>
Conclusions Conclusions There is difference between actual browser and js/server-
side HTML parser. invalid html causes the problem which is not predicted. use whitelist, output wellformed valid html.