Drag and Drop XSS in Firefox by HTML5 (Cross Domain in frames)
December 31, 2011 10 Comments
Bug has been reported/NoScript users are safe
First of all, this vulnerability and the related techniques have already been reported to Mozilla on 21st Nov 2011, without having any specific result till the date of this report (issue ID 704354 – works on all the latest versions which support HTML5). I had raised this bug as a major issue, but it seems it was not important from Mozilla Firefox point of view and its risk is not high at all.
However, NoScript can protect the users against it from version 2.2.3 [released about three weeks ago] (http://noscript.net/changelog) – thanks to Giorgio Maone for the fast response and quick fix.
As there is already a solution for this issue and its impact is not high, I am going to publish my research results as they belong to 2011!
The current protection
3- Drag and drop it on a new tab or on the context of the same tab that you currently have. You will not receive any alert message.
First bypass method- Letter Capitalization
Second bypass method- XSS by Feed Protocol
A possible exploitation method – HTML5 drag/drop functionality
In this step, I had to find a way to use the issue and exploit the system to prove that it can be an important security risk; however, there are two facts that made it a bit difficult:
1- There is no point if we cannot run the JS code on the context of another site.
The second problem was also solved by using a hidden “textarea” tag that I found during my tests! In Mozilla Firefox, if you select a text with a hidden textarea, all the texts in that hidden textarea will be selected as well.
I have created a proof of concept which can be found in the following link:
It is still possible to bypass Mozilla Firefox prevention method by finding another protocol or maybe by using the encoding techniques.