vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Community Lounge (https://vborg.vbsupport.ru/forumdisplay.php?f=13)
-   -   Javascript Injection (https://vborg.vbsupport.ru/showthread.php?t=81602)

Zero Tolerance 05-16-2005 08:58 PM
Javascript Injection
 
I'm currently working for a client, and one this project they want users to be able to use HTML, but ofcourse i don't want them to be able to do some 'dodgy' stuff, so i created a little test engine to remove every trick i know in the book about injecting javascript into systems that allow HTML to be used, but not JS.

http://www.gzevolution.net/self.php

I was wondering if anyone here can get ANY js to execute on that page, and if you can, what html code did you input?

Yes, the client knows this is a bad thing, but he won't take no for an answer, so all help is appreciated, i don't want to leave security hole's in the system.

Thanks people,

- Zero Tolerance

Link14716 05-16-2005 10:38 PM
Just talking about javascript (for example: "Javascript is great!") replaces it with "Active Scripting Disabled".

Reeve of shinra 05-16-2005 11:27 PM
Hmmm it doesn't block flash and I guess if I wanted to, I could probably que a flash script to load up some javascript.

I used:
Code:
<embed src=http://www.nytalk.net/delete/thetomblack.swf width=500 height=100</embed>
Incidentally, it blocks the world ONLINE as well.

Zero Tolerance 05-17-2005 02:15 AM
@ Link - Yeah for now, it will be more specific later

@ Reeve of shinra - Yeah, i forgot to add that to the list of bad tags, i also need to block the link tag, because you can inject javascript into the css import.

Thanks for the feedback guys, appreciated :)

- Zero Tolerance

filburt1 05-17-2005 02:21 AM
HTML Code:
<a onmouseover="alert('foo')">link</a>
improperly becomes
HTML Code:
<a ert('foo')>link</a>

filburt1 05-17-2005 02:26 AM
I can't figure out anything to get past it, but if I see the source code, I might think of something.

Zero Tolerance 05-17-2005 02:54 AM
filburt1 - Yeah parsing it properly out is not a concern, in the end it will just check for invalid entries and throw an error then stopping the data from saving, so people know they can't use nasty stuff, and because it will save a lot of processing time instead of trying to strip out some guys billion injection attempts everytime the page with the data is loaded.

Here's the source for the file:
PHP Code:
<font face='verdana'>
The script will parse out:
<ul>
<li>Bad tags (script etc..)</li>
<li>& -> &amp;amp;</li>
<li>\n -> br tag</li>
<li>Generic javascript injection (javascript(s)?:)</li>
<li>Style javascript injection (expression(script here))</li>
<li>Tag Event javascript injection (onload='script')</li>
</ul>

<form action='self.php' method='post'>
Insert html code:</font>
<br />
<textarea name='html' cols='90' rows='8'></textarea>
<br />
<input type='submit' />
</form>

<?php

    function stripBadTags($Code){
    $BadTag[] = "script";
    $BadTag[] = "iframe";
    $BadTag[] = "object";
    $BadTag[] = "applet";
    $BadTag[] = "frame";
    $BadTag[] = "frameset";
    $BadTag[] = "param";
    $BadTag[] = "style";

        foreach($BadTag as $bt){
        $Code preg_replace("/(<{$bt}|{$bt}>)/i",'',$Code);
        }

    return $Code;
    }

    function ParseHTML($Code){
    // Strip out unwanted tags
    $Code stripBadTags($Code);
    
    // Generic find & replace parameters, such as bad letters/characters

    $str_replace_find = array(
            '&',
            "\n",
            );

    $str_replace_replace = array(
            '&amp;',
            '<br />',
            );

    // Generic Javascript injection into tags

    $strip[] = array(
            'find'    => '/(javascript(s)?|vbscript(s)?|java(s)?)/i',
            'replace' => 'Active Scripting Disabled',
        );

    // Style javascript injection

    $strip[] = array(
            'find'    => '/expression((.+?))?\((.+?)\)/i',
            'replace' => '',
        );

    // Tag event javascript injection

    $strip[] = array(
            'find'    => '/on[a-zA-Z](.+?)=(\'|")?(.+?[^\'"])(\'|")?/i',
            'replace' => '',
        );

    /*
    $strip[] = array(
            'find'    => '',
            'replace' => '',
        );
    */

    $Code str_replace($str_replace_find,$str_replace_replace,$Code);

        foreach($strip as $rem){
            while(preg_match($rem['find'],$Code)){
            $Code preg_replace($rem['find'],$rem['replace'],$Code);
            }
        }

    return $Code;
    }

    if(@trim($_POST['html']) != ''){
    echo ParseHTML(stripslashes($_POST['html']));
    }

?>
:)

- Zero Tolerance

filburt1 05-17-2005 04:06 AM
BTW, shorthand for initializing an array, for example:
PHP Code:
$foo = {"bar""baz""qux"}; 
The same concept works in Java and IIRC C++ as well.

Zero Tolerance 05-17-2005 05:18 AM
Quote:
Originally Posted by filburt1
BTW, shorthand for initializing an array, for example:
PHP Code:
$foo = {"bar""baz""qux"}; 
The same concept works in Java and IIRC C++ as well.
Yah, the code is a mess for now - basic idea is just to get a working model before implenting it into anything :)

So seeing the source gave you no other ideas?

- Zero Tolerance

filburt1 05-17-2005 01:38 PM
It looks effective at first glance, but it makes assumptions on HTML that could change at any time.


All times are GMT. The time now is 07:51 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01809 seconds
  • Memory Usage 1,764KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (2)bbcode_html_printable
  • (3)bbcode_php_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete