Javascript Injection

[Zero Tolerance]

I'm currently working for a client, and one this project they want users to be able to use HTML, but ofcourse i don't want them to be able to do some 'dodgy' stuff, so i created a little test engine to remove every trick i know in the book about injecting javascript into systems that allow HTML to be used, but not JS.

http://www.gzevolution.net/self.php

I was wondering if anyone here can get ANY js to execute on that page, and if you can, what html code did you input?

Yes, the client knows this is a bad thing, but he won't take no for an answer, so all help is appreciated, i don't want to leave security hole's in the system.

Thanks people,

- Zero Tolerance

[Link14716]

Just talking about javascript (for example: "Javascript is great!") replaces it with "Active Scripting Disabled".

[Reeve of shinra]

Hmmm it doesn't block flash and I guess if I wanted to, I could probably que a flash script to load up some javascript.

I used:

Code:

<embed src=http://www.nytalk.net/delete/thetomblack.swf width=500 height=100</embed>

Incidentally, it blocks the world ONLINE as well.

[Zero Tolerance]

@ Link - Yeah for now, it will be more specific later

@ Reeve of shinra - Yeah, i forgot to add that to the list of bad tags, i also need to block the link tag, because you can inject javascript into the css import.

Thanks for the feedback guys, appreciated

- Zero Tolerance

[filburt1]

HTML Code:

<a onmouseover="alert('foo')">link</a>

improperly becomes

HTML Code:

<a ert('foo')>link</a>

[filburt1]

I can't figure out anything to get past it, but if I see the source code, I might think of something.

[Zero Tolerance]

filburt1 - Yeah parsing it properly out is not a concern, in the end it will just check for invalid entries and throw an error then stopping the data from saving, so people know they can't use nasty stuff, and because it will save a lot of processing time instead of trying to strip out some guys billion injection attempts everytime the page with the data is loaded.

Here's the source for the file:

PHP Code:

<font face='verdana'>
The script will parse out:
<ul>
<li>Bad tags (script etc..)</li>
<li>& -> &amp;amp;</li>
<li>\n -> br tag</li>
<li>Generic javascript injection (javascript(s)?:)</li>
<li>Style javascript injection (expression(script here))</li>
<li>Tag Event javascript injection (onload='script')</li>
</ul>

<form action='self.php' method='post'>
Insert html code:</font>
<br />
<textarea name='html' cols='90' rows='8'></textarea>
<br />
<input type='submit' />
</form>

<?php

    function stripBadTags($Code){
    $BadTag[] = "script";
    $BadTag[] = "iframe";
    $BadTag[] = "object";
    $BadTag[] = "applet";
    $BadTag[] = "frame";
    $BadTag[] = "frameset";
    $BadTag[] = "param";
    $BadTag[] = "style";

        foreach($BadTag as $bt){
        $Code = preg_replace("/(<{$bt}|{$bt}>)/i",'',$Code);
        }

    return $Code;
    }

    function ParseHTML($Code){
    // Strip out unwanted tags
    $Code = stripBadTags($Code);
    
    // Generic find & replace parameters, such as bad letters/characters

    $str_replace_find = array(
            '&',
            "\n",
            );

    $str_replace_replace = array(
            '&amp;',
            '<br />',
            );

    // Generic Javascript injection into tags

    $strip[] = array(
            'find'    => '/(javascript(s)?|vbscript(s)?|java(s)?)/i',
            'replace' => 'Active Scripting Disabled',
        );

    // Style javascript injection

    $strip[] = array(
            'find'    => '/expression((.+?))?\((.+?)\)/i',
            'replace' => '',
        );

    // Tag event javascript injection

    $strip[] = array(
            'find'    => '/on[a-zA-Z](.+?)=(\'|")?(.+?[^\'"])(\'|")?/i',
            'replace' => '',
        );

    /*
    $strip[] = array(
            'find'    => '',
            'replace' => '',
        );
    */

    $Code = str_replace($str_replace_find,$str_replace_replace,$Code);

        foreach($strip as $rem){
            while(preg_match($rem['find'],$Code)){
            $Code = preg_replace($rem['find'],$rem['replace'],$Code);
            }
        }

    return $Code;
    }

    if(@trim($_POST['html']) != ''){
    echo ParseHTML(stripslashes($_POST['html']));
    }

?>

- Zero Tolerance

[filburt1]

BTW, shorthand for initializing an array, for example:

PHP Code:

$foo = {"bar", "baz", "qux"}; 


The same concept works in Java and IIRC C++ as well.

[Zero Tolerance]

Quote:

Originally Posted by filburt1

BTW, shorthand for initializing an array, for example:

PHP Code:

$foo = {"bar", "baz", "qux"}; 


The same concept works in Java and IIRC C++ as well.

Yah, the code is a mess for now - basic idea is just to get a working model before implenting it into anything

So seeing the source gave you no other ideas?

- Zero Tolerance

[filburt1]

It looks effective at first glance, but it makes assumptions on HTML that could change at any time.