[bWM#012] Passing script/html-filter with special chars (multibrowser)

• Previous message: pre: "Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <bugtraq@securityfocus.com>
Date: Wed, 30 Jul 2003 04:48:01 +0200

ben moeckel security research - http://badWebMasters.net - security
advisories
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - -

badWebMasters security advisory #012:

        Passing script/html-filter with special chars (multibrowser)

Discovery date: 2003-07-16

Author:

        ben moeckel (http://distressed.de)
        mailto: badwebmasters@online.de

Description:

        When webbrowsers parse html they remove special chars,
        this behavior may be used by an malicious user to fool
        script/html-filters in webapplications.

Detail:

        badWebMasters showed in their advisory #011 how to pass
        the "Snitz Forums"-scriptfilter with the Tab-Char (09).
        After "Opera" and "Mozilla"-users noticed that the
        provided exploit didn't work on their system I decided
        to start some new testings, with an amazing result!

        To detect what kind of special chars can be used in html-
        parameters I set up the following asp-page:

        -------------------------------------------2.asp---------
        <%@LANGUAGE=JScript%><%

        %><script>function a(o){alert(o)}</script><%
        %><img src="javascript:a('test')" /><%

        for(i=0;i<256;++i){
                uc = "%"+chk(i.toString(16));
                %><img src="ja<%=unescape(uc)%>vascript:a(<%=i%>)" />
        <% }

        function chk(sInp){if(sInp.length<2){
                return String("0"+sInp)
        }else{return sInp}}
        %>
        ---------------------------------------------------------

        The page has been viewed with Mozilla, Opera and Internet-
        Explorer, the alert-box poped up in this order:

                Mozilla 1.3.1 (Win32): 0 (with restricions)

                Opera 7.11 (Win32): 0, 9, 10, 13, 173

                Internet Explorer 5.0: 13, 10, 9, 0

        Mozilla doesn't allow the window.alert()-method in "javascript:"-
        images, so I had to use my own function "a()". It also returned
        an error for char 9, 10 and 13: "Error: unterminated regular
        expression literal".

        Webmasters may be carefull with char 173 (ADh) that can be used
        in Opera only.

        And last but not least silly Internet Explorer: reversed order!?

Test:

        http://badwebmasters.net/advisory/012/test.asp

Workaround:

        This advisory adresses all webapps that use a badword filter,
        make sure all control-chars are removed before badwords are
        removed!

References:

        badWebMasters advisory #011: Cross-Site-Scripting @ Snitz Forums
        - http://cert.uni-stuttgart.de/archive/bugtraq/2003/04/msg00247.html

Feedback:

        Comments, suggestions, updates, anything else?
                -> mailto:badwebmasters@online.de

Source:

        http://badwebmasters.net/advisory/012/ (text/html)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - -
Copyright 2003 by ben moeckel (Benjamin Klimmek) for badWebMasters.
http://badwebmasters.net

• Previous message: pre: "Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]