Comments on: Inline UTF-7 E4X javascript hijacking http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/ A tool for designers dealing with programmers dealing with designers... Fri, 12 Mar 2010 05:05:20 +0000 http://wordpress.org/?v=2.6.2 By: Gareth Heyes http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1705 Gareth Heyes Tue, 02 Mar 2010 22:00:47 +0000 http://www.thespanner.co.uk/?p=361#comment-1705 @Eli Interesting the E4X spec says this shouldn't be possible, have you got a POC? Anyway it's possible to get the rest of the doc using setTimeout and assigning the remaining HTML to a E4X variable @Eli

Interesting the E4X spec says this shouldn’t be possible, have you got a POC?

Anyway it’s possible to get the rest of the doc using setTimeout and assigning the remaining HTML to a E4X variable

]]> By: Eli Grey http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1704 Eli Grey Tue, 02 Mar 2010 21:50:12 +0000 http://www.thespanner.co.uk/?p=361#comment-1704 You can hijack the rest of the XML by defining a setter on XML.prototype. Then you could do xml.function::hijack = rest-of-the-xml. You can hijack the rest of the XML by defining a setter on XML.prototype. Then you could do xml.function::hijack = rest-of-the-xml.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1682 Gareth Heyes Wed, 13 Jan 2010 13:39:21 +0000 http://www.thespanner.co.uk/?p=361#comment-1682 @Chris Hey Chris, fixed the XML it was because I used a code formatter plugin and now that I removed it (because it was vulnerable =) ) the raw XML data displayed. I sent you a email about e4x @Chris

Hey Chris, fixed the XML it was because I used a code formatter plugin and now that I removed it (because it was vulnerable =) ) the raw XML data displayed.

I sent you a email about e4x

]]> By: Chris Evans http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1679 Chris Evans Wed, 13 Jan 2010 01:15:43 +0000 http://www.thespanner.co.uk/?p=361#comment-1679 Nice!! I only just saw this, for some reason. Great attack. Google Chrome (or more accurately, v8) doesn't have E4X support at the moment. Best I know it's only Firefox. My foray into E4X security was: http://scarybeastsecurity.blogspot.com/2009/05/more-plausible-e4x-attack.html In response to that, Firefox committed a change in 3.5 such that pure XML was not considered valid JavaScript. I'm curious if that change also fixes your UTF7 attack, or if terminating the XML and including another JavaScript statement after causes Firefox to not error? General question I suppose - is FF3.5.8 still vulnerable to this? Have fun, Chris p.s. the XML isn't rendering properly in my browser. You probably want to escape braces etc. with < even though you're in a PRE tag. Nice!! I only just saw this, for some reason. Great attack.

Google Chrome (or more accurately, v8) doesn’t have E4X support at the moment. Best I know it’s only Firefox.

My foray into E4X security was: http://scarybeastsecurity.blogspot.com/2009/05/more-plausible-e4x-attack.html

In response to that, Firefox committed a change in 3.5 such that pure XML was not considered valid JavaScript. I’m curious if that change also fixes your UTF7 attack, or if terminating the XML and including another JavaScript statement after causes Firefox to not error?

General question I suppose - is FF3.5.8 still vulnerable to this?

Have fun,
Chris

p.s. the XML isn’t rendering properly in my browser. You probably want to escape braces etc. with < even though you’re in a PRE tag.

]]> By: sirdarckcat http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1473 sirdarckcat Fri, 27 Feb 2009 02:04:39 +0000 http://www.thespanner.co.uk/?p=361#comment-1473 sweeeeeeeeeeeet dude sweeeeeeeeeeeet dude

]]> By: Gareth Heyes http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1469 Gareth Heyes Tue, 24 Feb 2009 17:05:52 +0000 http://www.thespanner.co.uk/?p=361#comment-1469 @c See Kuza's link which discusses defensive measures at the bottom. @c

See Kuza’s link which discusses defensive measures at the bottom.

]]> By: c http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1468 c Tue, 24 Feb 2009 16:17:00 +0000 http://www.thespanner.co.uk/?p=361#comment-1468 How would the server protect against this? Does the charset tag override the charset header the servers sends with the data? How would the server protect against this? Does the charset tag override the charset header the servers sends with the data?

]]> By: Gareth Heyes http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1466 Gareth Heyes Tue, 24 Feb 2009 14:04:28 +0000 http://www.thespanner.co.uk/?p=361#comment-1466 @thornmaker You can remote include styles using the link tag, a variation on the one in our Bluehat presentation @thornmaker

You can remote include styles using the link tag, a variation on the one in our Bluehat presentation

]]> By: thornmaker http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1465 thornmaker Tue, 24 Feb 2009 14:00:28 +0000 http://www.thespanner.co.uk/?p=361#comment-1465 Good stuff Gareth! charset attribute on script tags is new to me. any other weird tags support it? Good stuff Gareth! charset attribute on script tags is new to me. any other weird tags support it?

]]> By: Gareth Heyes http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/#comment-1464 Gareth Heyes Tue, 24 Feb 2009 11:52:04 +0000 http://www.thespanner.co.uk/?p=361#comment-1464 Thanks for the link, I'll check it out Thanks for the link, I’ll check it out

]]>