banner

XSS: Exploiting file inputs




Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications.

XSS enables attackers to inject client-side script into web pages, like "Mr Bean Attack", maybe you remember the attack that EU presidency site received at 4 January 2010 during the Spanish presidency, when a photo of Mr Bean replacing Spanish Prime Minister. If you don't remember nothing about this, you have to click here (it was a great joke).

Now, there is a new way to exploit this kind of vulnerabilities ...

A researcher, has spotted a new vector for exploiting XSS attack by means of file inputs fields. The main dificult is obtain a filename with specials characters (\ / : * ? ” < > |), for example:

 In a Windows system:
NTFS | 255 characters max. | Any Unicode except NUL and \ / : * ? " < > |
I realised it was impossible to create a cross-site scripting vector without these characters.

Solution:

Look for another way to build the filename with special characters. This search was rewarded by finding "ext4" filesystem format.

ext4 | 256 bytes max. | Any byte except NUL and /
All characters except "/", then you can't build <sctipt> tag attack with http link, this always includes two slashes (http://).

To resolve this problem use encodeURIComponent() to enconde the following characters: , / ? : @ & = + $ #’.

PoC and More in: http://12k.nl/post/10167884662/xss-a-new-vector-exploiting-file-inputs

No hay comentarios :

Publicar un comentario en la entrada