*#Product: Lavarel-Security XSS Filter Bypass* *#Vulnerability: Mutation Based XSS Bypass * *#Impact: Medium/High* *#Authors: Rafay Baloch * *#Company: RHAinfoSEC * *#Website: http://rhainfosec.com *#Status: Fixed* *=========* *Description* *=========* Laravel Security is a port of the security class from Codeigniter 2.1 for Laravel 4.1. It relies upon a blacklist approach to filter out common malicious inputs. *=========* *Vulnerability* *==========* The vulnerability lies in the fact that the XSS filter was decoding HTML entities, therefore based upon this fact it was possible to construct a payload that would successfully bypass the filtering mechanisms and execute javascript. *=============* *Proof of concept* *=============* During intial test the following input was provided: Clickhere The filter decodes the HTML entities and hence the attack was being blocked. After Decoding: Clickhere Next, we double encoded the entities: Clickhere And since the filter would decode the entities once, we are left with the following: Clickhere Which is perfectly a valid syntax inside of href context and would execute javascript. *===* *Fix* *===* The vulnerability has been fixed, the latest version doesn't decode HTML entites and hence the attack is mitigated. *==========* *References* *==========* https://github.com/GrahamCampbell/Laravel-Security/issues/10#issuecomment-37816413