Firefox weird javascript execution
Monday, 13 August 2007
I’ve been reading sla.ckers quite a lot recently and I found a interesting topic on there were rsnake describes Firefox strange Javascript execution vectors which I wasn’t aware of. I thought I’d share them with everyone because I’m sure you’ll find them of interest.
1. First off there’s the double // which allows you to specify a domain name without using http:// etc example:-
<a href=”//www.thespanner.co.uk/”>Test</a>
2. You can also use a / to replace a space e.g. <body/s/onload=x={doc:parent.document};x.doc.writeln(1) which will execute in Firefox despite the incomplete tag and no spaces.
3. This is just silly :-
<body/””$/onload=x={doc:parent[‘document’]};x.doc.writeln(1)
I think Firefox should only allow valid HTML markup before trying to execute Javascript. There are many more similar problems such as the invalid comment string which I’m sure everyone is aware of. Scary stuff.
No. 1 — August 13th, 2007 at 6:52 pm
Interesting…
Just reading your message options… do I read correctly that you support JavaScript in the comments?… this sounds dangerous…
alert(‘Script should not be allowed in comments.’);
cheers
steve
No. 2 — August 13th, 2007 at 7:47 pm
Hi Steve
No you read incorrectly I support syntax colouring but nice try lol.
No. 3 — August 13th, 2007 at 8:19 pm
Hi Gareth,
Yes they help out a lot of sloppy coders, they’ve managed to write some insanely good RegExes to interpret what you mean by writing that gibberish. Incredible isn’t it? I’ve had a couple of vectors myself that were just mind blowing and still worked. I think we all can agree on whitelisting now! 😉
No. 4 — August 13th, 2007 at 8:28 pm
Definately strange… when you consider what the double slash in JavaScript terms is…
<a href=”javascript:doThis();//dontDoThis();”>Click me</a>
doThis should run, dontDoThis is commented out…
Glad to hear this doesn’t work on IE though… or I’m sure there would be a horrid script on the loose. 😉
No. 5 — August 13th, 2007 at 8:46 pm
Whitelisting is the only way to go Ronald, there’s just so much that is possible. I think although you can be clever with RegExps someday you’ll get burned.
No. 6 — August 13th, 2007 at 8:49 pm
Steve yeah there’s some strange stuff with commenting too, Firefox doesn’t handle comments correctly and IE renders some pretty insane stuff too.
The browsers should all adopt a strict standard which doesn’t allow this rubbish to get through because it’s only a matter of time before the next Myspace/Wordpress/Enter any site here worm gets loose on the internet.
No. 7 — August 14th, 2007 at 1:02 am
It looks like Firefox is actually honoring the SGML parsing rules! Weird for the average user and totally unusable. Thank goodness HTML 5 will remove the pretense that HTML is an SGML application.
No. 8 — August 14th, 2007 at 8:44 am
I’d just like to say that the PHPIDS protects against even the attack mentioned in the post. Which I found quite impressive, the project is open source and they’re not paying me to say they’re good either honest but I’ll give credit were credit is due and criticism were criticism is due, you know me 😉
Get involved with their project
No. 9 — August 16th, 2007 at 7:02 pm
Actually – that first one is a valid HREF in terms of the rfcs – means “use the same scheme as this location, but change the other options”.
Mucked me around when I ran into it while writing a rewriting-proxy… you can see it used on slashdot.org’s links.
No. 10 — August 16th, 2007 at 7:56 pm
Hmmmm interesting Brad thanks I didn’t know that.