Paid Advertising
web application security lab

Server Side MHTML Fix and XSS Fragmentation

I know there are quite a few people who read this site but don’t look at the forums, so to save you some time in combing through all the recent posts, I thought I’d highlight a few that were very noteworthy. The first is from Łukasz Pilorz. After doing quite a few tests against the most recent mhtml vulnerability in IE (which turned out to be a problem with interaction between outlook express and the browser) Łukasz found that there is one server side mitigating factor that makes this attack fail - and it’s something as simple as adding a few linebreaks to your code.

Next there has been a lot more attacks against MySpace on the forums as of late. I think increased awareness of how high profile a target has been the main impetus, but I’m speculating. Anyway, kuza55 found a rather interesting hole in Myspace using XSS Fragmentation which is a tricky way of saying he used two benign peices of code, injected into two different places on the same page to create a successful attack vector. It’s an interesting read and a terrific proof of concept about why doing blacklisting is prone to failure.

It’s also an interesting concept because it shows why you cannot look at the injection point alone and make a decision on it’s level of security. This is where a lot of application security scanners tend to fail - by looking at the singular output of a parameter rather than knowing the system as a whole.

3 Responses to “Server Side MHTML Fix and XSS Fragmentation”

  1. Sylvan von Stuppe Says:

    I had also mentioned the fragmented script injection vulnerability in my blog - I think it’s very important for people making their own site to understand that if you do output escaping (just replacing , “, and & with their proper entities) all this goes away - the only time that won’t work is in the case of sites like MySpace where they allow (want) users to put markup in their profiles and such. I’m not saying that you don’t do input validation - you ought to perform business rule validation, but you should ALWAYS do output filtering - which will fix exactly 100% of the problems (er, well, unless you put dynamic data directly into included script, which I always recommend moving it out to a hidden form element then using script to include it back.)

  2. The SEO Hippy Says:

    There was also a second fragmentation XSS exploit in MySpace within the Companies section. By adding a malformed image tag in the Title field, and the XSS JS in the OnError property to the Division field, you get the same effect. AFAIK - as of last night - this vulnerability has been patched.

  3. drew Says:

    kuza55’s find still works:

    Thanks mentioning it RSnake… it’s always fun to see them while they’re still in the wild.