Re: [Full-disclosure] IE handling the HTML notes incorrectly may lead to XSS attacks



a good example to see the "incorrect handling":
<!--[if<img/onerror=alert(1) src=]> //executed.
<!--[i<img/onerror=alert(1) src=]> //not executed.


On Mon, Aug 8, 2011 at 2:23 PM, Christian Sciberras <uuf6429@xxxxxxxxx>wrote:

I think it's worth to note that MSIE expects an *expression* in the
conditional (it's a feature).
Hence even if you disable direct XSS, there still would probably be
more ways an *expression* could be used to write HTML code.

As such, I don't think they should be "fixing" this (since it is
intended), but rather warn developers about it's existence.

On the other hand, if developers are writing unfiltered HTML inside
this conditional, I think there are worse issues than this.
I've always believed in the philosophy of making browsers work as
expected instead of expecting them to comply and fix my issues.
Especially if the browser in question is Internet Explorer ;-).

Cheers,
Chris.



On Mon, Aug 8, 2011 at 5:59 AM, CnCxzSec衰仔 <cncxzhack@xxxxxxxxx> wrote:
this is a normal use, but <!--[if<img/onerror=alert(1) src=]> is an
unnormal
use. IE should regard this as an HTML comment instead of a
downlevel-hidden
comment, so the HTML tags inside the COMMENT should not be evaled.
On Mon, Aug 8, 2011 at 11:30 AM, Andrew Farmer <andfarm@xxxxxxxxx>
wrote:

On 2011-08-07, at 19:53, CnCxzSec衰仔 wrote:
hi all, here is an interesting trick to perform an xss attack with IE
browsers.

some rich text applications such as email and blog, may provide HTML
uses
but have a policy to block the on-event execution to prevent the XSS
attack.
However, this applications may also allow the HTML notes uses,for
instance
"<!-- -->"

Any such applications are likely to also be vulnerable to a simpler
attack
based on "downlevel-hidden" conditional comments:

<!--[if IE]>
<script>anything you want can go here, presumably</script>
<![endif]-->

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] IE handling the HTML notes incorrectly may lead to XSS attacks
    ... Hence even if you disable direct XSS, ... if developers are writing unfiltered HTML inside ... I've always believed in the philosophy of making browsers work as ... some rich text applications such as email and blog, ...
    (Full-Disclosure)
  • Re: [Full-disclosure] IE handling the HTML notes incorrectly may lead to XSS attacks
    ... IE should regard this as an HTML comment instead of a downlevel-hidden ... browsers. ... Any such applications are likely to also be vulnerable to a simpler attack ...
    (Full-Disclosure)
  • Re: calling a function from a iframe
    ... The aspect of HTML validity that is significant is ... When presented with structurally invalid HTML browsers engage in 'error ... Structurally valid HTML mark-up has a tree-like structure, the DOM also ...
    (comp.lang.javascript)
  • Re: Layout basics
    ... I can certainly see why you would call the positioning issue an "absolute nightmare." ... A web application is an application in which the vast majority of the programming is on a server machine, but the user interface is presented via a "thin-client" HTML browser user interface. ... HTML started out as an invention of the Mosaic group, who created the first web browsers, and a language for formatting display in those browsers. ... HTML started off rather simply, with not much thought in the way of fancy layout, and the use of an ever-expanding list of inline attributes to handle layout properties. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Layout basics
    ... HTML browser user interface. ... formatting display in those browsers. ... we have an "absolute nightmare" involved in doing layout that looks more ... Because Windows Forms use "absolute positioning" in a Form interface, ...
    (microsoft.public.dotnet.framework.aspnet)