Monday, March 28, 2011

Abusing Referrer on Explorer for Referrer based DOM Xss

I don't really know if this is actually known, but I thought it was worth writing.

In a few words
:
While other browsers do not allow particular charaters in sub domains, IE does. Hence it's possible to abuse that behavior to exploit referrer based DOM Xss.

Some more words about it:
I was doing some testing using DOMInator (a yet-to-release tool for finding DOM Based Xss) and I saw a JavaScript snippet doing the following:

with(document)
write('<sc'+"ript src="http://Host/image.gif?t="+c+"r="+(referrer.split("/")[2])+"></sc"+'ript>'); //updated to match host only referrer

Immediately some question came to me: « Is it actually exploitable? Do any browser allow HTML special characters in subdomain, like '">heyThere.mindedsecurity.com? »
After testing some browser I saw that Internet Explorer does allow them.

So we set up a DNS which always returns the same IP no matter what subdomain is requested.

That means that it's possible for an attacker to request
"onreadystatechange=eval(name).attacker.com and use it to abuse IE host behavior and exploit
pages vulnerable to DOM Based Cross Site Scripting via referrer.

Nota Bene: At the moment the wildcard DNS is private. But we'll release
a basic service to test referrer based DOMXss. So, stay tuned for updates.

6 comments :

  1. Just goes to show the best-practice "Don't reflect attackers-supplied input" still applies, everywhere.

    ReplyDelete
  2. @Eric, definitely!
    Assuming something isn't going to happen is a wrong assumption.
    Applying data validation and output encoding by context *usually* saves application from unexpected behaviors.

    ReplyDelete
  3. Thanks to Ferruh Mavituna I for pointing out that example was wrong.
    The wrong assumption is about considering that hostnames cannot contain special characters.
    the (referrer.split("/")[2]) will just return the hostname.
    IE allows special character also in subdomains.

    ReplyDelete
  4. IE allows referrer-based XSS. I created P0c some months ago. http://attacker.in/_generic/referer-xss/

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. @mx Yes IE allows referrer based Xss, but the 'news' here is that special characters are allowed in the subdomain name. Like

    '"><iframe%20onload=eval(name)>.attacker.in/somepage

    ReplyDelete