Update your URL filtering: possible XSS from "Data" URL scheme - Firefox
In regards to the Data in URL scheme (RFC here), I’ve found an interesting issue with the way firefox handles it which could lead to some XSS I think.
First of all, if you’re not aware of the feature, let me explain. Browsers are built to decode information in the URL (for the purpose of this blog, I’m JUST focusing on base64) with a specific URL handler:
With this, you can add specific payloads to the URLs (think a very very small
.exe file) or specify the actual image data for an image tag (think single PHP scripts with no image directory - neeto!)
Let’s see an example:
First off, this is just an example - so it’s pretty simple. But I could make a request to a remote server through an image.src or an ajax call. Here, I’m just alerting the cookie to the screen (note, if this wasn’t an alert, the average user would not notice.)
<script> alert("cookie steal: "+document.cookie); window.location.href='http://www.google.com'; </script>
Which, when base64 encoded is
Put it all together:
Now, I’ve tested this example in Firefox 2 which supports this scheme - and it alerts the cookie. With IE 7, no such luck.
Disclaimer It should be noted, I think this is NOT an issue with Firefox’s handling of the specification. See #6:
Interpretation of the data within a “data” URL has the same security considerations as any implementation of the given media type. An application should not interpret the contents of a data URL which is marked with a media type that has been disallowed for processing by the application’s configuration.