innerHTML based XSS in Nette

[soaj1664]

Hi,

Nette is vulnerable to an innerHTML based XSS. IE8 treats back tick character as a valid separator for attribute and value. Attacker can use back tick in order to break the attribute context and execute JavaScript.

On a test-bed: http://hoola.cz/nette-xss-test/?do=form-submit (you guys have created this test-bed in this issue: #1301)

output reflects in different context and one of them is an attribute context. In test-bed, input lands as a value of class attribute.

Now if you will input ``onmouseover=alert(1), Nette does not escape back-tick as can be seen in the output.

I am attaching a screen-shot that shows this is a valid vector in IE8.

For testing innerHTML based XSS, I have used this tool: http://html5sec.org/innerhtml/ created by Mario Heiderich.

[mishak87]

TL;DR Whole idea of these kind of vectors is that server expects browser will behave according to standards or at least not segfault/hang. Today one should expect no less from IE and old browsers.

It is mXSS attack not XSS. m stands for mutation and it is problem of browsers handling of element.innerHtml and style.cssText().
Slides of one of the first talks on this topic.

It is mostly problem of IE family but there are some issues with old Firefox and Chrome. It might be possible to force IE 9+ to use old engine susceptible to it.

IMO Sanitazation in javascript context will be nearly impossible without advanced heuristics. As for the backtick it should be fairly simple (remove them all). Escaping is not the option according to slides (innerHtml can be called twice).

I wanted to write some funny hyperbole but this IE flaw just makes me sad.

[dg]

@soaj1664 thx for report!

[soaj1664]

@mishak87 backtick has nothing to do with JavaScript context. It is the problem of an attribute context, in particular the case we are discussing here. As far as sanitization in JS context is concerned, it can be done provided you know the meta characters that may cause problem. Demo for you: (http://xssplaygroundforfunandlearn.netai.net/final.html). Mutation XSS fails here :)

Yes. we can even force modern browsers to behave like old one with the help of options available in meta tag (Attacker needs to frame the page first and then can set page behavior)...

@dg Thanks for quick fix.