Luny has been on a roll lately, finding dozens of XSS vulnerabilities. I could probably devote my entire blog to his efforts if I just wanted to document various working exploits. I, however, am more interested in the obfuscation techniques required to perform a number of his sucessful attacks, because that is what the XSS Cheat Sheet is all about - filter evasion.
The first was in apnaspace.com. I think this is relevant because of the obfuscation that bbcode provides. I cannot stress more what a bad idea I think bbcode is. All it does is make it harder to understand what is going on, and it makes people learn a new way to write the exact same thing they are already used to writing. If you are going to allow HTML, fine, just parse it. BBcode makes you parse it anyway, so you gain nothing. It’s crap, I tell you. Crap!
The hi5.com exploit is the second XSS attack worth looking at. The technique that was interesting there was that embedded tabs were required. The interesting point here is that for some reason they blocked the word “alert”. I’m not sure if this was an IPS/webapp firewall block or if it was just some inline code block, but either way, why? Blocking alert just obfuscates the problem. If you aren’t going to fix the problem, why put a bandaid on one method of detecting it? It’s ridiculous if you ask me. Shoddy programming, and it gains you nothing. And the worst part is they actually knew the problem to have blocked it in this way. If you know the problem, why would you try to stop something benign like “alert”? Maybe I’m just not getting it, I thought the point was to stop code injection, not to stop warning boxes.
Luny also did me a huge favor by finding an XSS hole in about.com. I really dislike about.com. Okay, maybe there wasn’t anything interesting in the fact that about.com wasn’t even attempting to stop the problem, but I think they are a waste of bandwidth since I can never find what I am looking for on there. Nuff said.
Lastly, B3ta.com tried their best against XSS, but alas, they were overcome by hex encoding in images. That works in IE and the IE rendering engine in Netscape 8.0+.
Luny deserves some praise. He’s raising the awareness, if nothing else. Good job!