Wednesday, April 16, 2008

Exploiting browsers mental diseases

| Armando Romeo |
I was reading an interesting blog post on Billy Rios Blog about new Google XSS found in Google spreadsheet.
In the specific, that XSS is in my opinion to blame more to Internet Explorer, the only vulnerable browser to this XSS, than to Google itself.

The javascript injection is caused by Internet Explorer rendering text/plain as active content that is HTML.
Indeed Billy just created a link to the spreadheet in CSV format.
The spreadsheet contains a javascript snippet code as content of the first cell that is then interpreted as HTML code by guilty Internet Explorer.

The problem could have been avoided if google explicitly set the Content-disposition to "attachment" forcing browsers to give the file for download and not for inline show.

The most interesting part is not the exploit in itself but the way it is achieved.
Internet explorer as well as other browsers do not take much into consideration security while deciding how to render documents based on the content type being sent by the server.

Internet Explorer is demonstrated to render 696 over 735 content types as HTML. This means that if we are able to input data into a web application that uses one of those content types we may end up with a XSS
working under IE because will render it as active content (read HTML).

As in the Rios's exploit, web application must have Content-disposition set to inline to be vulnerable (this is the default option).

Now I will need your attention. From the (great) Leviathan Security paper scroll down the list of MIME types being NOT interpreted as active content by IE.
Do you see image/jpeg ?? Nope!
And here comes what me and Doz were discussing about some time ago in the past.

Internet explorer 7 interprets jpeg images as inline (of course) but what is worse it reads its content and outputs it as if it were HTML!

Click here for a proof of concept

This is not new, but probably not much exploited since Microsoft
suffers from this issue since version 6.
Firefox doesn't suffer from such schizophrenia.

This kind of (logical) flaw can be used into all those web application that don't use GD or any other graphical library to check for image validity.
I'm talking about those that check only the extension.

I'm talking about using your fake image as the avatar of a forum thus rendering javascript on its pages.

I'm not sure if it is possible to both show the pic and trick IE to render the html at the same time, I'm not much into jpeg or image handling to carry this research on but this could be super-dangerous as noone would investigate
the broken image icon due to the fake image with JS code into it.

In the end, I agree with Billy, web developers should understand more about browsers behaviours and use HTTP headers accordingly if they want to keep their web app secure.

Writing a good secure code is not enough to produce a secure web application if you feed browsers with psychological disorder

Free Security Magazines