Bug has been reported/NoScript users are safe
First of all, this vulnerability and the related techniques have already been reported to Mozilla on 21st Nov 2011, without having any specific result till the date of this report (issue ID 704354 – works on all the latest versions which support HTML5). I had raised this bug as a major issue, but it seems it was not important from Mozilla Firefox point of view and its risk is not high at all.
However, NoScript can protect the users against it from version 2.2.3 [released about three weeks ago] (http://noscript.net/changelog) – thanks to Giorgio Maone for the fast response and quick fix.
As there is already a solution for this issue and its impact is not high, I am going to publish my research results as they belong to 2011!
The current protection
3- Drag and drop it on a new tab or on the context of the same tab that you currently have. You will not receive any alert message.
First bypass method- Letter Capitalization
Second bypass method- XSS by Feed Protocol
A possible exploitation method – HTML5 drag/drop functionality
In this step, I had to find a way to use the issue and exploit the system to prove that it can be an important security risk; however, there are two facts that made it a bit difficult:
1- There is no point if we cannot run the JS code on the context of another site.
The second problem was also solved by using a hidden “textarea” tag that I found during my tests! In Mozilla Firefox, if you select a text with a hidden textarea, all the texts in that hidden textarea will be selected as well.
I have created a proof of concept which can be found in the following link:
It is still possible to bypass Mozilla Firefox prevention method by finding another protocol or maybe by using the encoding techniques.
Although the impact is high, there are very few scenarios susceptible to the attack.
Yes, in fact the risk was not high and that’s why it has been published.
I tried your PoC , it works ok but as you said the main challenging issue about exploiting this XSS is to deceive the users to drag it.
Nice article – just an observation on your last paragraph.
Since you mention drag and drop in the chrome:// security zone as a further attack vector, I guess this white paper might be of interest for you: “Cross Context Scripting with Firefox”: http://bit.ly/sFrf0X – I covered such attack in section 2.1, assuming the scenario of a vulnerable Firefox addon which allows drag and drop action from an untrusted web page :-)
Thanks for the link. It seems very interesting and I am wondering why I’ve missed this one. By the way, instead of finding a vulnerable add-on, if you can force the user to install a malicious one, you can run any code in the first place as you know.
This is great one exploit, never seen b4 this Drag and Drop XSS . Good job realy!
Pingback: PTSec – Portal de Segurança Português » Top Ataques Web 2011
Pingback: Vota por las principales técnicas de hacking web de 2011 | Sevilla Sec&Beer
Pingback: Top Web Hacking Techniques of 2011 | MYH3R3
Pingback: Top Ten Web Hacking Techniques of 2011 | RIS