Code Igniter XSS Filter Multiple Bypasses
Recently we released our "XSS Filter Evasion Cheat Sheet", i was quite surprised to hear the community feedback. The total downloads have surpassed a figure of 2500, which was quite amazing considering that i didn't expect it to escalate that quickly. Recently, i had a chance to test Code Igniter's XSS clean function, as it relied upon blacklist it caught my interest. I was pleased that almost all the payloads/techniques that were used to bypass the "XSSCLEAN" function have been already documented inside our "XSS Filter Evasion Cheat Sheet".
Vulnerability Details
The test-bed i used was setup by @soaj1664ashar based upon the rules of the "XSS Clean" function inside of code igniter.http://xssplayground.net23.net/clean11.html
I managed to find lots of bypasses, however couple of them collided with what @soaj1664ashar had already found before. Therefore, i thought to publish the ones that did not collide with his vectors.
Bypass 1 - Null Bytes
Internet explorer up to version 9, ignores null bytes every where. The XSSClean function was filtering for keywords like <script>, however it was not filtering out the null bytes. Therefore under Internet explorer 9 and below, the following is a valid vector executing javascript perfectly.<scr\x00ipt>confirm(1);</scr\x00ipt>
Bypass 2 - SVG and XLINK
The XSSCLEAN function was not filtering out the SVG tag and the xlink attribute. Along with it the XSSCLEAN function was also filtering out keywords such as javascript, vbscript etc. However this doesn't prevents us from executing javascript.protected function _js_link_removal($match)
{
//echo "in link removal";
return str_replace($match[1],
preg_replace('#href=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
'',
$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
),
$match[0]);
}
The following payload manages to pass through the XSSCLEAN function of Codeigniter and yields a valid javascript:
<svg xmlns:xlink=http://www.w3.org/1999/xlink><a><circle r=100 /><animate attributeName=xlink:href values=;javas	cript:confirm(1) />
Bypass 3 - HREF
Since, we were able bypass the blacklist that was looking for the keyword "javascript", we can use the href tag to execute valid javascript.
<a/href=javas	cript:confirm(top.location)>XSS
There are countless other variations thought.
Bypass 4 - Separators
There are certain characters that get's parsed as whitespace characters, since the "Code Igniter" was not filtering out the space characters, they can be used to yield a valid javascript syntax inside various browsers. For more information on them, please refer to our "XSS Filter Evasion Cheat Sheet".More Bypasses
Ashar javed found various bypasses for CodeIgniter, if you are interested in more bypasses, please refer the link below:https://github.com/EllisLab/CodeIgniter/issues/2667