Cross-Language Scripting
22:38 31.05.2010This is English version of my Cross-Language Scripting article.
Recently I told about Local XSS - the type of Cross-Site Scripting vulnerabilities, which I found in 2006. And now I’ll tell you about another new type of XSS founded by me. It’s Cross-Language Scripting, which I created in December 2006.
Cross-Language Scripting - it’s Cross-Site Scripting vulnerabilities in online interpreters. This class of XSS vulnerabilities I created at 23.12.2006, when found vulnerability in online interpreter CodeIDE, and 28.02.2007 I found such vulnerability in my Perl Pas Interpreter. These vulnerabilities allow to conduct XSS attacks on web application interpreter, so due to sending to interpreter a code on programming language which it supports, to receive JavaScript or VBScript code at the output.
Nuances of Cross-Language Scripting.
Such vulnerabilities can take place only in online interpreter of different programming language. Altogether I found tow such vulnerabilities in MustLive Perl Pascal Programs Interpreter and in CodeIDE. But with growth of Internet, when there will be more online interpreters and they will be using more widely, then new Cross-Language Scripting vulnerabilities can appear.
Online interpreters receive program code (e.g. on Pascal language, as in case of my Perl Pas Interpreter) from the user and after its processing they show the result of work of the program to the browser. And if to force online interpreter to show html-tags, particularly those which allow to execute JS/VBS code, then it’s possible to conduct XSS attack on the user of interpreter.
One of nuances of Cross-Language Scripting is that, that they can bypass WAF, as sever-side, as client-side. Because for conducting of attack the programming code on some programming language is using, not different html-tags which are using for conducting of common XSS attacks.
Examples of Cross-Language Scripting.
At first I found such vulnerability in CodeIDE and later in my Perl Pas Interpreter. But at first I’ll tell about such case in Perl Pas Interpreter, and then about CodeIDE.
Perl Pas Interpreter.
First version of interpreter v.1.0 released at 10.03.2006. And at 24.05.2006 version v.1.2 was released, in which I created online version of interpreter. And from that time I apply energies to prevent XSS vulnerabilities in it (already in version v.1.2 there was protection against reflected XSS). But at 28.02.2007 I invented how it’s possible to bypass protection of web application with using of Cross-Language Scripting and to conduct XSS. Which I fixed on the same day in version v.1.2.9.
XSS:
The next Pascal code:
write(chr(60),'script',chr(62),'alert(document.cookie)',chr(60),'/script',chr(62));
Leads to showing in browser and executing of JavaScript code:
<script>alert(document.cookie)</script>
I.e. using of different constructions of Pascal language it was possible to show JS/VBS code with bypassing of existent protecting filters and to conduct XSS attack. For preventing of this type of XSS vulnerabilities it’s needed to use special methods.
CodeIDE.
In online interpreter CodeIDE I found Cross-Language Scripting (which I privately told about to developer of the application), and also found reflected XSS at interpreter’s site, which I wrote about already.
This vulnerability was in JavaScript interpreter. Even this isn’t quite cross-language attack, when JS-code is executing in JS interpreter, but yet this attack was directed on online interpreter and was bypassing protecting filters of the application.
XSS:
In CodeIDE it was not possible to get to document.cookie (they had protection), but it was possible to execute other JS-commands, which could be used for attack. E.g. for redirection:
document.location="http://websecurity.com.ua"
Thus it was possible to execute JS-code from among allowed constructions of JavaScript language, without using of any tags, directly in interpreter.
