IE6.0 Protocol Guessing
SirDarckCat sent an interesting email this morning about IE6.0. Apparently it attempts to guess what you mean in certain circumstances allowing for rigid anti-XSS filters to fail when looking for precise terms like javascript: and vbscript: even after attempting to de-obfuscate. Rather than attempt to explain, take a look at this snippet from his email:
There are some characteristics in internet explorer that could aid
attackers when doing XSS attacks.In IExplorer:
??script:
and
???script:
are translated to vbscript:
so, for example:MYscript:msgbox("hi")
or
YOUscript:msgbox("hi")
will be treated as:
vbscript:msgbox("hi")
and anything with:
????script:
will be treated as:
javascript:
so..
somescript:alert("hi");
will be treated as:
javascript:alert("hi");
I have not been able to test this myself as I don’t have 6.0 handy. However, if it works, I know a log of anti-XSS filters that would fail on this one. It’s a bad one, but anyone worried about it should simply upgrade to 7.0 which doesn’t appear to have this flaw in it. Very nice find by SirDarckCat.
July 2nd, 2007 at 6:02 pm
<testscript>alert(”test”)</script>
<a href=”testscript:alert(’test’)”>test</a>
Neither work for me.
Incidentally, you can have multiple versions of IE on the same machine:
http://www.positioniseverything.net/articles/multiIE.html
July 2nd, 2007 at 6:12 pm
We use IE6 at work so I decided to test some scenarios by adding code to the address bar and hitting enter:
sssssscript:alert(”Test”)
becomes
javascript:alert(”Test”)
ssscript:msgbox(”Test”)
becomes
vbscript:msgbox(”Test”)
Works as described by SirDarckCat
July 2nd, 2007 at 6:34 pm
Hi!
There is one more vector I forgot:
?script:msgbox(”Test”)
also translates to:
vbscript:msgbox(”Test”)
Greetz!!
July 2nd, 2007 at 7:15 pm
That’s pretty interesting, rsnake. Unfortunately (well not truly) I’m using Internet Explorer 7, and so it obviously does not work for me, but it’s an awesome concept.
July 2nd, 2007 at 9:10 pm
I played around with this a while back, it’s really interesting. I’m certain that most versions of IE support this, but I could only get it to work when the values were entered directly into the address bar. I’m sure this will prove to be useful in the future, especially once I understand exactly what circumstances warrant a “spelling correction” on IE’s part.
July 3rd, 2007 at 1:59 am
For me this only works when typed in the address bar. Also, it doesn’t work in IE tab.
July 3rd, 2007 at 5:36 am
Test here too on IE6, with the same result as Spikeman. (Only works in address bar)
I also tried using invalid language names in the script language=”…” which didn’t work either. However something I did during my experiments made IE6 quit spontaneously. (No error, no crash, just a sudden quit) However, I can’t reproduce it now.
July 3rd, 2007 at 10:19 am
Yes, this is not a security issue. This substitution only happens in the address bar and you actually see it make “javascript” out of “testscript”. So this is a feature of the user interface but not one of the rendering engine, web pages cannot trigger it.
July 4th, 2007 at 6:22 am
However (to almost contradict myself) it might still be a vulnerability. What if there’s some obscure way that page can actually trig this mechanism due to some bug? For example I remember bugs concerning IE’s infamous “Local zone” where untrusted scripts could get trusted access by an intricate bombing local zone protocols (file: and other protocols relating to help files and dll file resource extraction; I could possibly find the source doc about that vulnerability if you wish)
July 4th, 2007 at 5:08 pm
few years ago i found such soutions. inside jscript.dll is defined some of “magic” script protocols:
XECMAScript
JavaScript1.3
JavaScript1.2
JavaScript1.1
JavaScript
LiveScript
July 5th, 2007 at 10:47 pm
Is there is someone still using IE 6????
I havent see one in a couple of months…
Many old users now uses firefox or opera (many that still using 98se and windows me)
July 6th, 2007 at 1:14 pm
So, I have IE6 and the following also worked:
javascripx:alert(’hi’); became javascript:alert(’hi’);
Also,
xtp:// became ftp://
So, this seems to be something that works on all registered protocols. I tried others, as well ..
xboxt:// became about://
but xboxx:// did not become about://, so it seems to be that if greater than 50% of the letters exist and it’s the same length, then it renders it.
A full list of protocols that are installed on a machine can be found at HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler, i think.
July 9th, 2007 at 8:45 am
Actually this is also known as ECMAScript (http://en.wikipedia.org/wiki/ECMAScript) and to be honest is useless in my oppinion if you want to use it in another way that putting manually in your browser address bar. If this kind of scripting cannot be used in another way, there should not be any concern about the filters bypass.
July 10th, 2007 at 10:17 am
httpscript: … that have potential because some site might filter link starting with “http” (should be “http://”)
July 10th, 2007 at 10:23 am
Nice one… I’m still trying to figure out how this could actually be used in a vulnerability, other than perhaps telling someone to type in or cut and paste something that looks like a URL but is really JS… Seems like a stretch.
July 13th, 2007 at 5:56 am
Wow, it works.
Intresting nobody has ever found this before.
This sure is a big issue.
July 13th, 2007 at 5:58 am
Hey, here’s another thing:
javaasdfg:alert(’XSS’);
works as well. This is actually more of an issue as it doesn’t contain the word “script”.
July 15th, 2007 at 5:14 pm
Well, no it’s a BIG thing. It can’t empasized enough that this bug/feature ONLY affects things written in the address field can be interpreted in this way. (Not anything invoked by links or javascript as far as anyone knows today)
So it’s really a minor vulnerability since you have to trick the user into copying a string to the address field.
July 15th, 2007 at 5:15 pm
I mean, It’s NOT, of course.
July 15th, 2007 at 6:29 pm
This code works on IE7
http://www.microsoft.com