Bypass of HTML Sanitizer API using same origin use element
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
People
(Reporter: gazheyes, Assigned: freddy)
References
(Blocks 1 open bug)
Details
(Keywords: reporter-external, sec-low, wsec-xss, Whiteboard: [reporter-external] [client-bounty-form][domsecurity-active][post-critsmash-triage][adv-main102+])
Attachments
(5 files)
I was testing the Mozilla Sanitizer API that was introduced recently:
https://developer.mozilla.org/en-US/docs/Web/API/Sanitizer
I found it was possible to use same origin use elements provided you specify the absolute URL. On Firefox same origin 'use' elements allow JavaScript execution whereas Chrome seems to block them. At least the auto executing part. The attack would work if an attacker has control over a same origin resource e.g. file upload. Even if this resource is served with a content disposition header the attack still works.
Example of same origin use elements causing JavaScript execution:
https://portswigger-labs.net/xss/xss.php?x=%3Csvg%3E%3Cuse%20href=%22//portswigger-labs.net/use_element/upload.php%23x%22/%3E%3C/svg%3E
Firefox (Nightly) version tested:
99.0a1 (2022-02-25)
Tested Sanitizer on here:
https://mozilla.github.io/sanitizer-polyfill/demo/
Input:
<svg><use href="https://mozilla.github.io/sanitizer-polyfill/demo/upload.php#x" />
Output:
<div><svg><use href="https://mozilla.github.io/sanitizer-polyfill/demo/upload.php#x"></use></svg></div>
This shows a SVG use element including a same origin resources that automatically executes JavaScript.
This example shows a SVG file uploaded and served with the content disposition header.
Updated•3 years ago
|
Updated•3 years ago
|
Assignee | ||
Comment 3•3 years ago
|
||
For context: In a somewhat recent turn of events, we've realized that our implementation of <use>
doesn't match other browsers and there are varying interpretations of what ought to happen.
Emilio filed https://github.com/w3c/svgwg/issues/876 and https://github.com/w3c/svgwg/issues/875 and we're changing how cross-document content works within <use>
.
Given the vacuum in spec text and the inherent xss hazards, I suggest we also remove <use>
from nsTreeSanitizer's default allow list.
Assignee | ||
Comment 4•3 years ago
|
||
Assignee | ||
Comment 5•3 years ago
|
||
I'm going to call this sec-low due to the precondition that the used resource needs to be same-origin.
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Updated•2 years ago
|
Assignee | ||
Comment 6•2 years ago
|
||
Assignee | ||
Updated•2 years ago
|
Comment 7•2 years ago
|
||
sanitizer restrict href in svg:use to fragment-only URLs r=hsivonen
https://hg.mozilla.org/integration/autoland/rev/37819efa513e53663bad1ebbb47035a8eff16e24
https://hg.mozilla.org/mozilla-central/rev/37819efa513e
Updated•2 years ago
|
Updated•2 years ago
|
Comment 8•2 years ago
|
||
The patch landed in nightly and beta is affected.
:freddy, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 9•2 years ago
|
||
The feature is disabled by default. wontfix for Beta 101.
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 10•2 years ago
|
||
Updated•2 years ago
|
Comment 11•2 years ago
|
||
Reproduced the issue on Firefox 99.0a1 (2022-02-25) under macOS 12.4 with the same output as in Comment 0 by using the info provided there and some help from Freddy.
The issue is fixed on Firefox 102.0 with the "<div></div>" output. Tests were performed on macOS 12.4, Windows 11 and Ubuntu 22.04.
Reporter | ||
Comment 12•2 years ago
|
||
I've done a blog post about this issue:
https://portswigger.net/research/bypassing-firefoxs-html-sanitizer-api
Comment 13•2 years ago
|
||
tests r=hsivonen
Landed: https://hg.mozilla.org/integration/autoland/rev/b882a81251e328c870feda0792fcd1eb2e0fc3d0
Backed out for causing mochitest failures in test_sanitizer_api.html:
Push with failures
Failure log
TEST-UNEXPECTED-FAIL | dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html | div.setHTML() should turn(String) '<svg><use href='http://example.com/test.svg'></svg>' into '<svg><use></use></svg>' - got "", expected "<svg><use></use></svg>"
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 14•2 years ago
|
||
patch landed via https://bugzilla.mozilla.org/show_bug.cgi?id=1770888
Updated•2 years ago
|
Updated•4 months ago
|
Description
•