Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

innerHTML based XSS in Nette #1496

Closed
soaj1664 opened this issue May 23, 2014 · 5 comments

Comments

Projects
None yet
3 participants
@soaj1664
Copy link

commented May 23, 2014

Hi,

Nette is vulnerable to an innerHTML based XSS. IE8 treats back tick character as a valid separator for attribute and value. Attacker can use back tick in order to break the attribute context and execute JavaScript.

On a test-bed: http://hoola.cz/nette-xss-test/?do=form-submit (you guys have created this test-bed in this issue: #1301)

output reflects in different context and one of them is an attribute context. In test-bed, input lands as a value of class attribute.

Now if you will input ``onmouseover=alert(1), Nette does not escape back-tick as can be seen in the output.

I am attaching a screen-shot that shows this is a valid vector in IE8.
inn1

For testing innerHTML based XSS, I have used this tool: http://html5sec.org/innerhtml/ created by Mario Heiderich.

@mishak87

This comment has been minimized.

Copy link
Contributor

commented May 24, 2014

TL;DR Whole idea of these kind of vectors is that server expects browser will behave according to standards or at least not segfault/hang. Today one should expect no less from IE and old browsers.

It is mXSS attack not XSS. m stands for mutation and it is problem of browsers handling of element.innerHtml and style.cssText().
Slides of one of the first talks on this topic.

It is mostly problem of IE family but there are some issues with old Firefox and Chrome. It might be possible to force IE 9+ to use old engine susceptible to it.

IMO Sanitazation in javascript context will be nearly impossible without advanced heuristics. As for the backtick it should be fairly simple (remove them all). Escaping is not the option according to slides (innerHtml can be called twice).

I wanted to write some funny hyperbole but this IE flaw just makes me sad.

@dg

This comment has been minimized.

Copy link
Member

commented May 24, 2014

@soaj1664 thx for report!

dg added a commit that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
@soaj1664

This comment has been minimized.

Copy link
Author

commented May 24, 2014

@mishak87 backtick has nothing to do with JavaScript context. It is the problem of an attribute context, in particular the case we are discussing here. As far as sanitization in JS context is concerned, it can be done provided you know the meta characters that may cause problem. Demo for you: (http://xssplaygroundforfunandlearn.netai.net/final.html). Mutation XSS fails here :)

Yes. we can even force modern browsers to behave like old one with the help of options available in meta tag (Attacker needs to frame the page first and then can set page behavior)...

@dg Thanks for quick fix.

dg added a commit to nette/utils that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes nette/nette…
…#1496]

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit to nette/latte that referenced this issue May 24, 2014

Added workaround for innerHTML mXSS vulnerability [Closes nette/nette…
…#1496]

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit to nette/latte that referenced this issue May 24, 2014

Added workaround for innerHTML mXSS vulnerability [Closes nette/nette…
…#1496]

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: workaround for innerHTML mXSS vulnerability [Closes #1496]
IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit to nette/latte that referenced this issue May 24, 2014

Added workaround for innerHTML mXSS vulnerability [Closes nette/nette…
…#1496]

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit to nette/latte that referenced this issue May 24, 2014

Added workaround for innerHTML mXSS vulnerability [Closes nette/nette…
…#1496]

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
@mishak87

This comment has been minimized.

Copy link
Contributor

commented May 24, 2014

@soaj1664 In this case yes but the mXSS is not just attribute escaping, the issue is bigger than just two backticks. Also in slides mention that executing innerHTML twice would circumvent escaping so this issue might be broader if ajax is not using TrueHTML instead of innerHTML. Slides page 44.

dg added a commit to nette/latte that referenced this issue May 24, 2014

Added protection against innerHTML mXSS vulnerability [Closes nette/n…
…ette#1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: added protection against innerHTML mXSS vulnerability [Closes #…
…1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: added protection against innerHTML mXSS vulnerability [Closes #…
…1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: added protection against innerHTML mXSS vulnerability [Closes #…
…1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: added protection against innerHTML mXSS vulnerability [Closes #…
…1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Latte: added protection against innerHTML mXSS vulnerability [Closes #…
…1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit that referenced this issue May 24, 2014

Html: added protection against innerHTML mXSS vulnerability [Closes #…
…1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit to nette/utils that referenced this issue May 24, 2014

Html: added protection against innerHTML mXSS vulnerability [Closes n…
…ette/nette#1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit to nette/utils that referenced this issue May 24, 2014

Html: added protection against innerHTML mXSS vulnerability [Closes n…
…ette/nette#1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit to nette/utils that referenced this issue May 24, 2014

Html: added protection against innerHTML mXSS vulnerability [Closes n…
…ette/nette#1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit to nette/latte that referenced this issue May 24, 2014

Added protection against innerHTML mXSS vulnerability [Closes nette/n…
…ette#1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit to nette/utils that referenced this issue May 25, 2014

Html: added protection against innerHTML mXSS vulnerability [Closes n…
…ette/nette#1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

dg added a commit to nette/utils that referenced this issue May 25, 2014

Html: added protection against innerHTML mXSS vulnerability [Closes n…
…ette/nette#1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
@soaj1664

This comment has been minimized.

Copy link
Author

commented Oct 30, 2014

Hey guys!

I had one more comment. I am looking at the test-bed http://hoola.cz/nette-xss-test/?do=form-submit that you had created during earlier issue for Nette testing in different context.

My question is related to style context. If I input harmless style e.g., color:red then it should work but what I received as an output is

<div style='color\:red'>I am a style attribute context</div>

What's the point in escaping :? I think the use case would be to allow simple styles without JavaScript execution. Isn't it? Or Am I missing something?

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.