Revisiting XSS Sanitization

A talk by Ashar Javed

@

Research Contribution

WYSIWYG Editors' XSSed

Who Am I?

WYSIWYG

What You See Is What You Get

Sites use WYSIWYG editors as a part of ...

  • Forum Post
  • Private Messaging
  • Wiki Post
  • Support Ticket
  • Signature Creation
  • Comments

WYSIWYG Editor of Magento Commerce

WYSIWYG Editor of Twitter Translation

WYSIWYG Editor of Amazon

WYSIWYG Editor of Yahoo Email

Third-Party WYSIWYG Editors

Froala WYSIWYG Editor

Some Statistics about Froala

Jive WYSIWYG Editor

Statistics about Jive

TinyMCE WYSIWYG Editor

Statistics about TinyMCE

CKEditor WYSIWYG Editor

Statistics of CKEditor

MooEditable WYSIWYG Editor

In Use on CNET Forums

Cross-Site Scripting (XSS)

XSS --- An Epidemic

For Details on XSS ... see my slides

Lets Start with a tale of 1000$ XSS in WYSIWYG editor of Magento Commerce

Magento Commerce's Bug Bounty Program

Magento Commerce Forum Posting has been disabled ... :D

XSS affects on 2051362 users

WYSIWYG Editor of Magento Commerce

How it works?

Quick XSS Test

By looking at [removed] in the converted XSS attack vector ...

I remembered CodeIgniter's CI_Security Class

What is CodeIgniter?

CodeIgniter's Popularity

My meeting with CodeIgniter :-D

Let's start dissecting ...

Dissection Continue ...

Dissection Continue ...

Dissection Continue ...

width:expre/**/ssion(alert(1)) is an old trick discussed in SLA.CKERS

CSS will work if ...

BUT we have ...

Question: How to get rid of `color`?

Next Great Idea ...

Use STYLE tag as per allowed syntax

It seems I am moving in the right direction ...

Use double quotes in order to break the context ...

Here we go ...

Who Cares about IE7?

Lets try to make it work in modern browsers ...

Yes ... Done with it...

Tea Time with `cookie` :-)

Another Sad Thing ...

"PHPSESSID" cookie is not httpOnly .... 

Can XSSed Forum Moderator for more privileges

Recommended Read

Identification of Common Injection Points in WYSIWYG Editors

Injection Points in WYSIWYG Editors

  • Insert/Edit Image
  • Insert/Edit URL
  • Set Attributes
  • Insert/Upload File
  • Insert/Upload Video

Attacking Insert/Edit Image Feature

Attack Vector #1

Features of attack vector #1

  • Valid URL (Browsers render it)
  • In case of explicit decoding on server-side, it can be used to break the context and execute JavaScript
  • Useful in breaking the context for JavaScript execution (in case if no server-side decoding)
  • SVG based JavaScript execution

Explicit Server-Side Decoding ...

XSSed Alexa (Explicit Decoding Case)

Recommended Read

XSSed GitHub's MarkDown (SVG based JavaScript execution)

Recommended Read

XSSed Amazon's Seller Central & Kindle Direct Publishing Forums's WYSIWYG Editor

Insert Image Syntax

!Image URL Goes Here!

Internally it is treated as ...

<img src="ImageURL" alt>

XSSed Amazon's Seller Central (break context case)

XSSed Amazon's Kindle Direct Publishing (break context)

Attack Vector #2

Useful in cases if sites automatically insert anchor tag (<a>) around image ...

e.g., Twitter inserts <a> tag around <img>

Recommended Read

XSSed Jive

Other Potential Attack Vector for <img src="">

Attacking Attributes in WYSIWYG Editors

Common attributes are ...

alt, id, class, value & title

Attribute Context Attack Methodology

XSSed Yahoo Email's WYSIWYG Editor

`` in action

XSSed GitHub's Markdown

https://html5sec.org/innerhtml/ (Mario Heiderich's Utility)

GitHub's reply on my report

Lithium WYSIWYG Editor

Lithium's reply on my report

XSSed TinyMCE

Attacking Insert/Edit Link Feature

WYSIWYG's Insert Link

URL Context Attack Methodology

XSSed FreeTextBox (ASP.NET) Based WYSIWYG Editor

Who is using FreeTextBox?

XSSed KindEditor

Who is using KindEditor?

Who is using PHP HTML Edit

XSSed Web Wiz

Who is using Web Wiz?

XSSed EditLive

Who is using EditLive?

XSSed MarkItUp

Who is using MarkItUp?

XSSed Mercury (Rails)

Who is using Mercury?

XSSed CNET's Forum (MooEditable WYSIWYG Editor in use ...)

XSSed Froala

XSSed Jive

Phishing with data URI

Reward from Jive :)

XSSed TinyMCE

XSSed 6 more WYSIWYG Editors

A tale of an XSS in Twitter Translation's WYSIWYG Editor

Twitter Translation's WYSIWYG (Insert Link)

Lets XSS ... step #1

Step #2

Step #3

Step #4

Here we go ...

After Fix ... @ndm Replied

Which 3rd Party Library (WYSIWYG)?

XSSed MarkDown

Recently an attempt has been made to make it standard ... BUT

Set Back?

Standard Markdown is now Common Markdown

Attacking `Style` Feature of WYSIWYG Editors

`style` attribute in WYSIWYG

Style Context Attack Methodology

Style Context Attack Methodology works only in old IE Browsers ... Who cares?

XSSed Ebay (CKEditor in use)

Reward from Ebay :)

XSSed TinyMCE

Attacking Insert/Edit/Upload File Feature of WYSIWYG

Insert/Edit/Upload File

XSSed Imperavi Redactor (File name == XSS vector)

Who is using Imperavi Redactor?

XSSed Froala via Flash File

Before & After Fix ...

XSSed x.com (Paypal's Site) WYSIWYG Editor via Flash File [worth 1000$]

Attacking Insert Video Feature of WYSIWYG Editors

Insert/Edit Video

YouTube's embed code for video sharing looks like ...

For XSS ...

Simply add onmouseover=alert(1) in <object> & <embed> tags ...

XSSed Raptor

Microsoft's WYSIWYG Editor for Wiki Articles Posting

XSSed Microsoft.com's WYSIWYG Editor

Microsoft's WYSIWYG Editor's Fix at the moment ...

Why almost all WYSIWYG Editors are vulnerable?

But first lets see some comments from developers on my reported bugs in WYSIWYG editors

Developers Comments

#1

#2

#3

#4

#5

#6

Reasons

`Transfer of responsibility`+ `Laziness`

Developers of the WYSIWYG editors think that developers of the server-side/back-end or web applications will do sanitization while developers of web applications are happy to include WYSIWYG editors "AS IT IS" ...

Enough Breaking ...

Lets Present Unbreakable Sanitizer/Filter

What? ... Unbreakable? :-D

81570 failed XSS attempts

"The solutions all are simple...
after you have arrived at them.
" (Robert M. Pirsig, American novelist)

Protection against JavaScript execution via common attributes (e.g., id, title etc) in WYSIWYG Editors

Attribute Context Attack Methodology & Implementation of a generic`attributeContextCleaner` function

What if attacker will use encoding?

See fiddle for an answer ...

Protection against JavaScript execution via `style` attribute in WYSIWYG Editors

Style Context Attack Methodology & Implementation of a generic`styleContextCleaner` function

Questions Arise ...

Features of `styleContextCleaner()`. It allows simple styles ...

Protection against JavaScript execution via `url` e.g., img's src and/or anchor's href attribute

Implementation of `urlContextCleaner()`

See my XSS filter if you want to allow harmless tags ...

General Guidelines for XSS Protection

HttpOnly Cookies

Iframe's `sandbox` attribute

Content Security Policy without `unsafe-inline` and `unsafe-eval`

Will Conclude ...

Keep it simple like Facebook's WYSIWYG editor...

Thank You