Adi "Adico" Cohen
Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure Vulnerability CVE-2011-1252
The following post describes a bypass I found to the toStaticHTML function in IE - back in 2011.
Introduction:
The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and Internet Explorer 9 is used to sanitize
HTML fragments from dynamic and potentially malicious content.
If an attacker is able to break the filtering mechanism and pass malicious code through this function, he/she may be
able to perform HTML injection based attacks (i.e. XSS).
Vulnerability:
An attacker is able to create a specially formed CSS snippet that after passing through the toStaticHTML function will contain an expression that will trigger a JavaScript call.
The following JavaScript code will demonstrate the vulnerability (Should be a one-liner):
<script>document.write(toStaticHTML(" <style>div{color:rgb(0,0,0)&a=expression(alert(1))}</style> "))</script>
The reason this code bypass the filter engine is due to two reasons:
The filtering engine allows the string "expression(" to exists in "non-dangerous" locations within the CSS string.
The filtering engine encodes characters such as ( & , < , > , etc…) to their HTML encoded entities (& , > , < , etc…).
When combining these two facts the attacker is able to use the semi-colon of the HTML encoded entities
representation in order to terminate a CSS sentence and move to a new one without having the filtering engine
realize it, thus breaking the state machine and bypassing the filter.
The output of the toStaticHTML will look like:
<style>div{color:rgb(0,0,0)&a=expression(alert(1))}</style>
As we all know, '=' is equivalent to ':' in CSS and therefor evaluates correctly.
Impact:
Every application that relies on the function toStaticHTML to sanitize user supplied data is now probably
vulnerable to XSS.
References:
http://www.securityfocus.com/bid/48199
http://support.avaya.com/css/P8/documents/100141412
http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx
An old post from 2011. Originally published under Watchfire's (IBM) Blog
Discovered by - Adi Cohen, IBM Application Security Research
Recent Posts
See AllBackground AMP is most commonly used as a framework to develop fast-loading content on the web. One of AMP's projects, AMP4Email has been...
The following post describes a new method to exploit injections in JSON file - Back in 2012 Introduction: In the world of Web2.0 and mash...
The following post describes the second bypass I found to the toStaticHTML function in IE - back in 2012. Introduction: The Microsoft...
Σχόλια