Injecting the script tag into XML
Tuesday, 9 October 2007
Firefox is now the browser I like hacking, there’s just so much stuff it can do. I simply don’t have enough time to explore everything, but what I have found was some very interesting XML behavior. I was helping Ronald a while back with a Firefox chrome security flaw and we discussed on slackers that some XML entities in Firefox contain sensitive information which it is possible to read using XHR.
I thought of what other interesting things I could do with XML entities and I found a way of injecting script tags using them. This could have implications if you offer a HTML upload service but you filter out dangerous tags for example. The proof of concept is very basic but displays the method clearly.
No. 1 — October 9th, 2007 at 3:17 pm
It works on Opera 9.23 Linux too π
No. 2 — October 9th, 2007 at 3:36 pm
Hehe cool, I’ve not tried it in other browsers
No. 3 — October 9th, 2007 at 7:22 pm
/me likes it. very clever
No. 4 — October 9th, 2007 at 8:02 pm
In case you’re curious, Safari 2.0.4 doesn’t like the inject entity:
This page contains the following errors:
error on line 11 at column 46: Entity ‘inject’ not defined
iPhone version shows the alert(1) text itself, but not in a script element.
No. 5 — October 9th, 2007 at 8:42 pm
@Jordan
Thanks for the info useful π
@thornmaker
Cheers π
No. 6 — October 10th, 2007 at 4:36 am
This works with WebKit 25438.
No. 7 — October 10th, 2007 at 9:18 am
Sweeeeet!
No. 8 — October 14th, 2007 at 3:55 am
Gareth Heyes
Honestly
i developed months ago,exploited google toolbar using this technique. i deserve some credit π
if you are intrested about POC. let me know