Re: XSS mitigation in browsers

On 20 January 2011 22:49, Michal Zalewski <lcamtuf@coredump.cx> wrote:

> Oh, and I noticed that CSP specifies allowable script locations on
> per-origin basis too.
>
> That would make it vulnerable to the two attacks I mentioned in my
> initial response to Adam, right?
>
> Specifically, consider that within any medium-complexity domain
> (mozilla.com, google.com, facebook.com), you can almost certainly
> discover a location that returns HTML-escaped attacker-supplied text
> in a context that would parse as valid JavaScript. This is easier than
> expected particularly in browsers that support E4X - such as Firefox.
> If I have a 404 HTML page saying:
>
> <html><body>
> ...
> The page at $escaped_request_location cannot be found.
> ...
> </body>
> </html>
>
> ...and $request_location = "/some/path/{alert(1)}", then user-supplied
> script will execute. To test, try this in Firefox:
>
> javascript:void(<html>foo {alert(1)}</html>)
>

Yeah this attack is known from a while ago (2009) but using JSON files with
UTF-7:-
<http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/>

Mozilla decided (I think) to protect against this by denying E4X documents
to be the "full program" but this is useless because we can simply split the
statement up. I love and hate E4X so much.

>

Received on Thursday, 20 January 2011 23:07:34 UTC