Q

Using XSS filtering to mitigate XSS vulnerabilities

A vulnerability found in Web browsers allows malware to bypass XSS filters. Michael Cobb explains how to address the issue.

I heard about a vulnerability in Chrome and Safari that allows attacks to bypass anti-cross-site scripting filters that is easily exploitable. How can I protect my users and system until patches are released?

Cross-site scripting vulnerabilities have been around since the 1990s, and most major websites, including Google, Yahoo and Facebook, have been affected by XSS vulnerabilities at some point. Attacks exploiting XSS vulnerabilities can steal data, take control of a user's session, run malicious code or be used as part of a phishing scam. They work by injecting code, usually a client-side script such as JavaScript, into a Web application's output. Because XSS is such a dangerous vulnerability, modern Web browsers include security filters to try and stop hackers from being able to run malicious injected code in users' browsers if they visit a site vulnerable to XSS attacks.

Researcher Ioseba Palop from Eleven Paths found a bug in the cross-site scripting filter in Chrome and Safari that enables an attacker to bypass it in certain scenarios and compromise visitors to a vulnerable site. The problem lies in how the new HTML5 "srcdoc" attribute of the iFrame tag is handled by the filter. The iFrame tag is supported in all major browsers and is used to embed another document within the current HTML document. It is marked up as follows:

<iframe src="http://www.techtarget.com"></iframe>

The srcdoc attribute of the IFRAME tag is new in HTML5 and is currently only supported in Firefox, Chrome and Safari. The srcdoc attribute specifies the HTML content of the page to show in the inline frame. An example would be:

<iframe srcdoc="<p>Welcome to TechTarget!</p>" src="http://www.techtarget.com"></iframe>

(If the src attribute and the srcdoc attribute are specified together, the srcdoc attribute takes priority. This allows a fallback URL for browsers that do not support the srcdoc attribute.)

Palop's proof-of-concept code shows that if a webpage includes an iFrame and doesn't apply any charset filters to GET or POST parameters, then the srcdoc attribute can be manipulated with JavaScript code. There is no immediate practical workaround, so users must be made aware of the dangers of visiting untrusted sites and need to keep up-to-date antimalware protection with malicious URL filters, such as Microsoft's SmartScreen, turned on.

Security teams should make sure their Web development teams are aware of the issue, as there are some important takeaways. Web developers looking to use new HTML attributes introduced in HTML5 should read the relevant documentation to ensure that they are implementing them correctly and securely. For example, the srcdoc attribute is expected to be used together with the sandbox and seamless attributes. The sandbox attribute enables a set of extra restrictions on any content hosted by the iframe. It is also important to use a separate domain for the contents of an iframe so if the attacker convinces the user to visit that page directly, the page doesn't run in the context of the site's origin. Most websites have numerous injection points, such as search fields, comment forms and cookies, so developers should sanitize any user input before it is processed and redisplayed, particularly if it is to appear within an iframe.

Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)

This was first published in July 2014
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.
Related Discussions

Michael Cobb, Application Security asks:

How do you protect your organization against XSS vulnerabilities?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close