Drag and Decline XSS in Firefox by HTML5 (Cross Domain in frames)
Bug has been reported/NoScript customers are secure
First of all, this vulnerability and the relevant techniques have presently been reported to Mozilla on 21st Nov 2011, with out having any precise result until the date of this report (issue ID 704354 – operates on all the most current variations which assistance HTML5). I had raised this bug as a significant issue, but it seems it was not important from Mozilla Firefox point of see and its chance is not high at all.
Nonetheless, NoScript can safeguard the consumers towards it from edition two.2.3 [released about three weeks back] (http://noscript.internet/changelog) – many thanks to Giorgio Maone for the quick reaction and speedy fix.
As there is currently a resolution for this issue and its effect is not substantial, I am really going to publish my analysis results as they belong to 2011!
Introduction
As you might have seen, most of the modern browsers are recently defending their consumers from jogging unwanted JavaScript by copying and pasting it in the tackle bar or even by dragging and dropping it into a world wide web web page. In this research, I have identified a approach to bypass Drag/Drop protection in Mozilla Firefox to run a JavaScript. As a last result, it is possible to drag and fall a hidden JavaScript into a predefined HTML5 box and run the Javascript code. Unfortunately, if you put this webpage in an IFrame, the Javascript code can be run on the context of the major site that contains the IFrame. For occasion, When Facebook opens any URL in a frame, it is achievable to run a JavaScript code on Facebook website by drag and decline jacking.
The latest protection
In get to realize the Mozilla Firefox safety in opposition to JavaScript Drag and Drop, adhere to these steps:
1- Go to Mozilla Firefox tackle bar and type “javascript:alert(1)” without having pressing Enter.
2- Select all the string that you have just typed (“javascript:notify(1)” with out quote symptoms).
3- Drag and fall it on a new tab or on the context of the identical tab that you at the moment have. You will not receive any inform concept.
Initial bypass method- Letter Capitalization
Now, in prior actions, capitalize one or far more letters in the “javascript:” string (for occasion “jAvAscript:”) and drag/fall it into the webpage. You should be ready to see an alert communication as you have bypassed the Mozilla Firefox defense!
Second bypass strategy- XSS by Feed Protocol
I have also found another exciting protocol in Mozilla Firefox that can direct to running a JavaScript. This protocol can be used as follows to bypass the Mozilla Firefox prevention method:
“feed:javascript:alert(one)”
“feed:feed:feed:javascript:alert(one)”
“feed:javascript:javascript:feed:notify(one)”
“feed:feed:javascript:javascript:feed:notify(one)”
” feed:feed:feed:javascript:notify(one)”
A possible exploitation approach – HTML5 drag/fall performance
In this step, I had to find a way to use the concern and exploit the method to prove that it can be an important security threat nonetheless, there are two facts that made it a bit difficult:
one- There is no point if we cannot run the JS code on the context of one more internet site.
two- We need the person interaction to d/d a JS code. And it is not effortless to deceive the customers to d/d a JavaScript code when it is visible.
The very first problem has been solved by employing HTML5 D/D features that I have found from the adhering to URL: “http://html5demos.com/drag“ I found out, if I drag and decline the “feed:javascript:notify(one)” to the drop location, the JavaScript will run owing to the redirection. And curiously, if this drop location is inside an IFrame, the major page will be redirected and as a result we can carry out an XSS attack on the context of the principal site.
The 2nd difficulty was also solved by making use of a concealed “textarea” tag that I identified for the duration of my exams! In Mozilla Firefox, if you pick a text with a hidden textarea, all the texts in that hidden textarea will be picked as effectively.
I have created a proof of idea which can be identified in the adhering to website link:
PoC: http://soroush.secproject.com/downloadable/demo/FF_DragDrop_XSSHost_simp.html
Summary
In this research, I was in a position to bypass Mozilla Firefox – Javascript Drag and Decline by employing capitalization and Feed protocol. Then I was capable to exploit this situation to operate a JavaScript code in the context of another website which can take an exterior body by utilizing the HTML5 drag and decline features.
Potential Works
It is even now possible to bypass Mozilla Firefox prevention approach by discovering yet another protocol or possibly by utilizing the encoding methods.
If someone drags and drops a JavaScript into a web page with “chrome://” protocol, it can guide to a regional code execution nonetheless, this protocol is highly guarded by Mozilla Firefox and I was not capable to come across a way to make it possible. As a PoC, drag and drop the adhering to Javascript code into the “chrome://international/subject material/config.js” web page to operate the neighborhood Windows Calculator:
“feed:jAvAscript:file=Components.courses['@mozilla.org/file/local1'].createInstance(Components.interfaces.nsILocalFile)file.initWithPath(‘c:windowssystem32calc.exe’)approach=Elements.classes['@mozilla.org/procedure/util1'].createInstance(Parts.interfaces.nsIProcess)approach.init(file)process.operate(accurate,[],)void()”
