Paid Advertising
web application security lab
« Firefox HTTPOnly Implementation In JavaScript
Detecting Privoxy Part II »

Combining UTF-7 and Data Directives

I got an email this morning from dw1de talking about the data directive. As you probably remember, I’ve had that on the cross site scripting cheat sheet for about a year. But dw1de took it to a place I hadn’t thought of before. He started changing the charset around. He took a standard UTF-7 vector and injected it like so (this will only work in Netscape 8.0+ in the Gecko rendering engine mode, Firefox and Opera):

data:text/html;charset=UTF-7,+ADw-script+AD4-alert('XSS')+ADsAPA-/script+AD4-

See the charset? Clever, huh? Now let’s take it to the next logical place by modifying it to be Base64 encoded, like the example on the cheat sheet:

data:text/html;charset=UTF-7;base64,K0FEdy1zY3JpcHQrQUQ0LWFsZXJ0KCdYU1MnKStBRHNBUEEtL3NjcmlwdCtBRDQt

As dw1de said, there is probably more here. I took a cursory pass at trying to get US-ASCII working but then I realized it wouldn’t because that vector works only in Internet Explorer (even the best of us can get confused about the interaction between these vectors). But yes, there is probably more here. Thanks, dw1de!

This entry was posted on Wednesday, December 20th, 2006 at 9:51 am and is filed under XSS, Webappsec. You can leave a response as well.

5 Responses to “Combining UTF-7 and Data Directives”

  1. kuza55 Says:
    December 20th, 2006 at 2:39 pm

    Don’t most filters block the Data protocol/directive outright though since there’s really no need to let users use it?

  2. Edward Z. Yang Says:
    December 20th, 2006 at 2:46 pm

    Don’t forget that you can put anything in the data scheme, not just twiddle with the character encoding. So you can do Flash, Quicktime, etc (of course, a 4kb limitation for the URI size still applies).

  3. RSnake Says:
    December 20th, 2006 at 2:47 pm

    Kuza55 - I haven’t run into many filters against the data: directive, but I’m sure there are some.

    Edward - that’s exactly right. We were discussing this exact thing with creating an .xpi file.

  4. maluc Says:
    December 20th, 2006 at 3:59 pm

    rsnake: my initial tests with an .xpi file in a data directive isn’t work.. it still pops up the security message even when executed on addons.mozilla.org or releases.mozilla.org

    try this: goto http://addons.mozilla.org

    then put this in the address bar: data:application/x-xpinstall,blah

    so i’m unsure now whether an XSS hole is sufficient :T

  5. maluc Says:
    December 20th, 2006 at 4:00 pm

    isn’t working*

Respond here or Discuss On the Forums