Tuesday, March 4, 2008

XSS Exploit and HTML Style Sanitization - Developers, this should scare you (A LOT!!!)

Well if you are a developer creating externally facing web sites that allows HTML or has an RTF style editor that allows HTML submissions then you will need to be aware of the following. The HTML <STYLE> element is not safe.

The following example shows just how that is so...

From the following details found at http://www.feedparser.org/docs/html-sanitization.html I crafted this HTML into this post

<span style="any: expression(alert('XSS Hack'))">

Using an ASCII to Decimal encoder found here http://code.cside.com/3rdpage/us/unicode/ascii.html

To give this

<span style="&#97;&#110;&#121;&#58;&#32;&#101;&#120;&#112;&#114;&#101;&#115;&#115;&#105;&#111;&#110;&#40;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#32;&#72;&#97;&#99;&#107;&#39;&#41;&#41;">

It looks like Google Docs is good at filtering out style embedding and this restriction is a good thing. If you see an alert dialog then the system that your using does not correctly filter out the style= tag attribute but you can save it to disk and open it in Internet Explorer and it will run.

With this approach a hacker could easily create a dynamic script tag loading a javascript payload or just packaging up all you cookies on the compromised we site and sending those details onto a third party web site.

I created a safe tags list based on some originating work around Telligent's Community Server.

If you have a copy of Community Server then this list will be handy if not I guess you could look over the

Here is the white list and it should be easy enought to understand.

<?xml version="1.0" encoding="utf-8" ?>

Any element or attribute not included in this list will either be removed or encoded (ie, they will NOT be rendered as markup).

Elements in the globalAttributes section with enable = true will be allowed for all valid Html elements. Invalid attributes
always removed!

Elements listed in the html section will be treated as valid. If you would like to enable additional attributes,
you can list them with a value of true

<!-- http://www.feedparser.org/docs/html-sanitization.html
<style enable="true" />

Ban list but questionable
<area />
<map />
<img usemap="true" />

Some that deals with form submissions and there are more but for the most part just some attention to dissalow these..
<label <fieldset <button, <form, <input <option <select <textarea <optgroup
<class enable="true" />
<align enable="true" />
<id enable="true" />
<a href="true" title="true" name="true" target= "true" rel="true" />
<abbr />
<acronym />
<address />
<b />
<bdo />
<big />
<blockquote dir="true" />
<br />
<caption />
<center />
<cite />
<code />
<col />
<colgroup />
<dd />
<del />
<dfn />
<dir />
<div />
<dl />
<dt />
<em />
<font size="true" color="true" face="true" />
<h1 />
<h2 />
<h3 />
<h4 />
<h5 />
<h6 />
<h7 />
<hr />
<i />
<img src="true" alt="true" title="true" border="true" width="true" height="true" hspace="true" />
<ins />
<kbd />
<lecut />
<legend />
<li />
<menu />
<ol />
<p dir="true" />
<pre />
<q />
<s />
<samp />
<small />
<span />
<strike />
<strong />
<sub />
<sup />
<table cellpadding="true" cellspacing="true" bgcolor="true" />
<tbody />
<td rowspan="true" colspan="true" />
<tfoot />
<th />
<thead />
<tt />
<tr />
<u />
<ul />
<var />
<xmp />


Hope that this helps you...

Kevin Pirkl

No comments:

Blog Archive