Apparently there’s nothing technical on this blog since last March. I really have nothing interesting to talk about, save for a weird XSS I found somewhere near September, and that is a bit more disappointing to me than it is to you.
Let’s get things started again, so to speak, by writing about that.
Imagine a simple online banking page: After logging in, this page allows you to perform certain transactions, and it allows you to write a short comment for each transaction (let’s assume it’s for convenience - maybe you want to keep a short note about what kind of transaction required you to transfer $500 today, or whatever). The length of each comment is limited to ~20 characters, or any arbitrary amount you can think of.
As long as you are logged on to the application, you can perform transactions, and after
each one you will be presented with a confirmation page which lists, among other things,
your supplied comment, as well as an informative page after the transaction is accepted,
which also lists the same information. As any conscious security person would do, you
would try to check for the obvious issue, a cross-site scripting issue, by supplying
appropriate input on the comment field. The result was correctly filtered and/or escaped
by the application server, and your attempts would be in vain, further affirming your
trust on your
Try and log out, however, and you’re presented with the most curious thing: a short “history” of all transactions you’ve committed during the previous session, along with the short comment for each one, presented in a neat and tidy little HTML table. As the security-conscious people we are, we check the page source, and find out that this output is not escaped and/or filtered in the same manner as the previous pages!
We may have a problem.
I say “may”, because the usual PoC payloads for cross-site scripting issues don’t fit into the little comment space. Trying to supply contents past the limit shows us that the server truncates our input, thwarting our attempts at misbehaviour. But wait! Didn’t we just see that output on the log out page isn’t properly escaped? What does that mean? It means that the contents of each little comment are treated & presented as HTML, with apparently no discernible attempts at sanitization.
Are you pondering what I’m pondering?
Uh, I think so, but balancing a family and a career … ooh, it’s all too much for me.
Instead, let’s try to insert less-than signs (
>) to close HTML tags and supply our XSS
PoC in multiple parts. Since all (actually, up to 5, which were more than enough)
transaction comments are presented in the page, we should have enough space to deliver our
“exploit”. The structure of it, in its parts, would look something like this (skipping the
special character encoding that was actually used as it’s not really relevant):
What happens as a result of the way the logout page displays comments, is that all
sections of HTML between our supplied input is commented out (
-->), allowing us
Here’s to yet another curious technicality with no real world applicability! :-)« Past Future »