Search
  • Adi "Adico" Cohen

Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure Vulnerability CVE-2011-1252

The following post describes a bypass I found to the toStaticHTML function in IE - back in 2011.



Introduction:


The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and Internet Explorer 9 is used to sanitize

HTML fragments from dynamic and potentially malicious content.

If an attacker is able to break the filtering mechanism and pass malicious code through this function, he/she may be

able to perform HTML injection based attacks (i.e. XSS).


Vulnerability:


An attacker is able to create a specially formed CSS snippet that after passing through the toStaticHTML function will contain an expression that will trigger a JavaScript call.


The following JavaScript code will demonstrate the vulnerability (Should be a one-liner):

<script>document.write(toStaticHTML(" <style>div{color:rgb(0,0,0)&a=expression(alert(1))}</style> "))</script>

The reason this code bypass the filter engine is due to two reasons:

  1. The filtering engine allows the string "expression(" to exists in "non-dangerous" locations within the CSS string.

  2. The filtering engine encodes characters such as ( & , < , > , etc…) to their HTML encoded entities (&amp; , &gt; , &lt; , etc…).


When combining these two facts the attacker is able to use the semi-colon of the HTML encoded entities

representation in order to terminate a CSS sentence and move to a new one without having the filtering engine

realize it, thus breaking the state machine and bypassing the filter.


The output of the toStaticHTML will look like:

<style>div{color:rgb(0,0,0)&amp;a=expression(alert(1))}</style>

As we all know, '=' is equivalent to ':' in CSS and therefor evaluates correctly.



Impact:


Every application that relies on the function toStaticHTML to sanitize user supplied data is now probably

vulnerable to XSS.


References:


http://www.securityfocus.com/bid/48199

http://support.avaya.com/css/P8/documents/100141412

http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx


An old post from 2011. Originally published under Watchfire's (IBM) Blog

Discovered by - Adi Cohen, IBM Application Security Research

4 views

Recent Posts

See All

JSON-based XSS exploitation

The following post describes a new method to exploit injections in JSON file - Back in 2012 Introduction: In the world of Web2.0 and mash web applications, security researchers come across more and mo

Never Miss a Post. Subscribe Now!

I promise to never send malicious content :)

  • Grey Twitter Icon