.

XSS Filter Died?

<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sat Jan 14, 2012 1:38 am

XSS Filter Died?

I'm trying to figure out what happened to a web app I was testing today.  I was blackbox testing the forum/discussion feature for an online learning app (written in Java) that allows users to post HTML, but has an XSS filter to block known bad HTML tags.  I've found some ways to bypass this particular filter before and was testing some new things today.  When I input something it doesn't like, I would get an error message like: "Forbidden Content: <evil>Boo</evil>"

Here's the strange part: at some point in my testing, it stopped blocking anything at all.  All of the things that it used to flag as "forbidden content" were allowed through.  I could use any tag I wanted including the obvious <script>.  What would cause this?

One guess is that that the routine is throwing an exception and that the exception is handled by simply returning as if everything is okay, but I don't know why it would do that every time.  Would there be a reason for it to maintain state?  If it does, I could see it getting so screwed up that it can't run without throwing an exception.

Is there something else it could be doing?  I don't have source code to check this and I've never run into a similar error while coding.

Thanks,

Unicityd
BS in IT, CISSP, MS in IS Management (in progress)
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sat Jan 14, 2012 2:21 am

Re: XSS Filter Died?

Sounds like you were whitelisted, mid-test....was that not in the original project specs? You sure the sales guy didn't add it after the PT began?!
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sat Jan 14, 2012 4:07 am

Re: XSS Filter Died?

It wasn't part of a pen-test, just some independent research.  I'm the application admin for the system which is hosted by the vendor.  As far as I know, there isn't a way to turn the filter off (on purpose).

It's a production system, but school is out right now so I'm pretty much the only persson on.  I've always felt comfortable playing with XSS using a test course where there aren't any real users that I can harm.  The side effects I saw today surprised me.
BS in IT, CISSP, MS in IS Management (in progress)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sat Jan 14, 2012 2:31 pm

Re: XSS Filter Died?

Sounds like Java mischief to me hehe  ;D Somehow you either got whitelisted, or disabled the "Anti-XSS Firewall" or whatever happened. You will only be able to know if you debug the application and reproduce your steps, on another IP with fresh (new) cookies too of course.
I'm an InterN0T'er
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sat Jan 14, 2012 4:02 pm

Re: XSS Filter Died?

You will only be able to know if you debug the application


I think I'm out of luck since I don't have the ability to debug this app.  I do know that it's a global issue since the problem persists on other accounts/machines.  I really wish I had source code so I could see what the hell they are doing.
BS in IT, CISSP, MS in IS Management (in progress)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sat Jan 14, 2012 6:08 pm

Re: XSS Filter Died?

It would indeed be interesting to see how on earth such a scenario could be possible, as even I haven't seen it elsewhere. I've seen the opposite, that after like 100 attempts you get blacklisted for a while or permanently, but getting whitelisted out of nowhere allowing all script execution vectors, now that's rare but fun to hear about hehe  ;D
I'm an InterN0T'er
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sun Jan 15, 2012 4:41 pm

Re: XSS Filter Died?

I screwed up :(  I was using multiple test accounts and I mixed up and made one of the accounts a professor instead of a student.

So, the XSS filter functions although I can still bypass it using certain tags.

I would like to know why it blew away a discussion category though; definitely some data corruption at play there.
BS in IT, CISSP, MS in IS Management (in progress)

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software