Local XSS

22:46 21.05.2010

This is English version of my Local XSS article.

I’ll tell you about new type of Cross-Site Scripting vulnerabilities, Local XSS, which I created in June 2006 for better classification of XSS vulnerabilities, when found vulnerability in Ad Muncher.

Local XSS - it’s Cross-Site Scripting vulnerabilities in local software (at computer of the user, or in local network), which leads to appearance of XSS vulnerabilities. I.e. it’s such XSS vulnerabilities, which take place not directly at the site, but in local software of the user. And which allow to attack even those sites, which can even not have XSS vulnerabilities.

Particularly this type of vulnerabilities leads to appearance of so-called universal XSS, which allow to conduct attacks on multiple sites, in case when user is using vulnerable software. Examples of universal XSS are UXSS in PDF, vulnerability in Ad Muncher and vulnerability in XSS Filter in IE8.

Nuances of Local XSS.

Local XSS vulnerabilities can take place in browsers and in other programs, which concerned with work in Internet. Such as plugins for browsers, proxy servers, ad blockers (which perform function of proxy server) and others.

These vulnerabilities take place not at the site, but at user’s local computer (at using of vulnerable software), so admins of the sites and web developers often ignore such vulnerabilities. In some cases owners of the sites can do nothing concerning to these vulnerabilities (only to advice users to update vulnerable software), in other cases owners of the sites can use different protecting methods (as in case of UXSS in PDF and vulnerability in XSS Filter in IE8).

One of nuances of Local XSS is that, that they can bypass WAF at the site (due to that vulnerabilities take place on local software of the user, but not at the site). So to resist at web site to these attacks with using these vulnerabilities, it’s needed to use not WAF, but special methods (as in case of vulnerabilities in PDF and IE8).

There is such class of vulnerabilities as Cross-zone scripting. These vulnerabilities take place in browsers, particularly in Mozilla Firefox (and other browsers on Gecko engine) and in Internet Explorer (and browsers at IE engine, such as Sleipnir, Portable Sleipnir, unDonut) and in plugins (extensions, toolbars) for browsers.

Cross-zone scripting - it’s other type of XSS, then Local XSS. So these vulnerabilities don’t belong to Local XSS. Because via these vulnerabilities in browsers and plugins for them it’s possible to execute code at user’s computer (in local context), but not at web site (in context of this site). I.e. via Cross-zone scripting the attack is going to user’s computer (with his current rights), and via Local XSS - at web site (with rights of this user). But common for both types of XSS is that, that these vulnerabilities appear in local software of the user.

Types of Local XSS.

There are next types of Local XSS:

  • Reflected local XSS - the most widespread type of Local XSS.
  • Persistent local XSS - it’s Post Persistent XSS (Saved XSS), i.e. this type of XSS belongs at the same time to Persistent XSS and to Local XSS.
  • Strictly social local XSS - this type of XSS belongs at the same time to Strictly social XSS and to Local XSS.

About Post Persistent XSS (Saved XSS) sub-class of Cross-Site Scripting vulnerabilities I wrote already, and about Strictly social XSS sub-class I’ll write separate article with time.

Let’s look at examples of different types of Local XSS vulnerabilities.

Reflected local XSS.

Reflected local XSS - it’s Reflected XSS in local applications.

Examples of Reflected local XSS are the next vulnerabilities:

1. Universal XSS in PDF, which I wrote about in 2007. This vulnerability in Adobe Reader and Acrobat, and also their plugins for browsers, was found and disclosed by Stefano Di Paola at the end of 2006. For the attack it was needed to use pdf-file at any site which has pdf-file (with the exception of those ones, which made a protection against this attack on server-side).
2. Vulnerabilities in different plugins for browsers, particularly vulnerabilities in Adobe Flash Player and Adobe Acrobat. If under-mentioned persistent XSS via Flash and strictly social XSS in millions of flash files are considered by Adobe as feature of flash, then Adobe fixed above-mentioned reflected XSS.
3. Cross-Site Scripting via jar: URI in Firefox, which was found by PDP and Beford in 2007.
4. Universal XSS vulnerability in Ad Muncher, which I wrote about in 2010. The attack was going at visiting of special crafted URL, with using of which it was possible to conduct XSS attack at any site (with the exception of those cases, which I wrote about in this post).
5. Vulnerabilities in Sidki and Proxomitron, which Charles Reis, Steven D. Gribble, Tadayoshi Kohno and Nicholas C. Weaver wrote about in 2008. As they found the year after me, in 2007, to this XSS besides Ad Muncher are also vulnerable Sidki and filter sets Grypen for Proxomitron.
6. Vulnerability in Internet Explorer 8 - Eduardo Vela Nava and David Lindsay at the beginning of this year found vulnerability in XSS Filter in IE8, which allows to conduct XSS attacks on users of IE8 at any sites (with the exception of those ones, which made a protection against this attack on server-side).
7. New vulnerability in Ad Muncher, which I wrote about in 2010. The attack is similar to previous vulnerabilitiy in Ad Muncher.

Persistent local XSS.

Persistent local XSS - it’s Persistent XSS in local applications, particularly it’s Post Persistent XSS (Saved XSS) vulnerabilities.

Examples of Persistent local XSS are the next vulnerabilities:

1. Vulnerabilities in Flash plugin for browsers. At uploading of swf-files with XSS-code at the server, it’s possible to conduct an attack on users, which have flash plugin (which have more than 99% of Internet users). As I noted, Adobe isn’t considered this as security issue, because it’s feature of Flash technology, so owners of the sites and web developers need to work on security by themselves, if including of flashes is allowed (as in case of vulnerability in Invision Power Board) or if uploading of flashes is allowed (as in case of vulnerability in FCKeditor).
2. Vulnerability in QuickTime plugin for browsers. Particularly via Media Link in QuickTime at uploading of files (in xml-format) with extension mp3 at the server, it was possible to conduct the attack at users which have QT plugin (one of the popular plugins).
3. Cross-Site Scripting vulnerability in Internet Explorer, which I wrote about in 2007. Attack is going at saving of a page with specially crafted URL and next opening of this page in the browser.
4. Cross-Site Scripting vulnerability in Google Chrome, which I wrote about in 2008. Attack is similar to attack on IE.
5. Cross-Site Scripting vulnerability in Opera, which I wrote about in 2008. Attack is similar to attack on IE and Chrome.
6. Universal XSS vulnerability in Ad Muncher, which I wrote about in 2010. In this application it was possible to conduct as Reflected local XSS attack, as Persistent local XSS attack.
7. New vulnerability in Ad Muncher, which I wrote about in 2010. The attack is similar to previous vulnerabilitiy in Ad Muncher.

Strictly social local XSS.

Strictly social local XSS - it’s Strictly social XSS in local applications.

Examples of Strictly social local XSS are the next vulnerabilities:

1. Cross-Site Scripting in Mozilla and Firefox, which I wrote about in 2007. Attack is going via gopher protocol. For conducting of XSS attack is needed that user of browser Mozilla, Firefox or SeaMonkey (or other browsers on Gecko engine) go to specially crafted page and change codepage to UTF-7.
2. Cross-Site Scripting with UTF-7 in Mozilla and Firefox, which I wrote about in 2009. Attack is going via http, https and ftp protocols (this vulnerability is a continuation of previous one, in which new protocols are used).
3. Cross-Site Scripting vulnerabilities in Mozilla and Firefox, which I wrote about in 2009. Attack is going at request to location-header redirector with setting of JavaScript code. At request the browser shows page “Object Moved”, where in the link “here” shows this code, at click on which the code will execute.
4. The strictly social XSS vulnerabilities in 8 millions and 34 millions of flash files are possible via flash plugin for browsers.

Example of Local XSS.

The most bright example of Local XSS vulnerability is universal XSS in Ad Muncher. Essence of this vulnerability was in the next.

Vulnerability was possible due to that program set current URL in body of current page (without filtering of tags). So with special crafted URL it was possible to execute code at any site.

Conducting of reflected XSS attack:

http://www.google.com/webhp?%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

With using of this vulnerability it was possible to conduct XSS attack at any site (with the exception of above-mentioned cases). The attack can be conducted e.g. via hidden iframe. At that the attack worked in any browser.


2 відповідей на “Local XSS”

  1. MustLive каже:

    One more example of Local XSS is Cross-Site Scripting vulnerability in Mozilla, Firefox and other browsers via redirectors with answer “302 Found”.

  2. MustLive каже:

    One more example of Local XSS is Saved XSS vulnerability in Internet Explorer.

Leave a Reply

You must be logged in to post a comment.