I figured I'd do a little blog posting about finding and exploiting XSS vulnerabilities in BBCode implementations. Not many sources exist for this type of information, and certainly none exist that I am aware of that are as comprehensive.
I've been in contact with RSnake from ha.ckers.org about possibly adding a section to his infamous XSS Cheat Sheet concerning this, and he has responded favorably. Unfortunately, nothing has yet come of this, so I figured I would go ahead and write something up here. A lot of this comes from exploits I have personally found, and most can be found scattered throughout this site.
Most forums allow a user to preview their submissions before posting. This is a good place to test for injections before haphazardly injecting codes!
So, without further ado, here is the list. Feel free to submit any additions below.
URL Tag Injection
The [url] tag can sometimes be injected with XSS, although this will always require a user to click on the link:
Color Tag Injection
The [color] tag can sometimes be injected with arbitrary CSS styles, and on Internet Explorer versions 7 and before, scripts can be executed with the use of the IE proprietary 'expression':
If this tag results in a rather large, red "XSS" then the BBCode allows for CSS styles to be injected. Internet Explorer 7 or less can thus be exploited by using the 'expression' extension:
Font Tag Injection
The [font] tag, like the [color] tag, can sometimes be injected with arbitrary CSS styles as well:
[font=Impact, Compacta, Chicago, sans-serif;color:red;]XSS[/font]
If this tag results in a red "XSS" then the BBCode allows for CSS styles to be injected.
Table Tag Injection
Some BBCode implementations allow user to construct tables, and sometimes allow for arbitrary html tag parameters.
Unfortunately, this requires a bit of interaction (unless you are injecting CSS styles like the above, in which case you'll most likely be restricted to IE <= 7).
Nested URL Tag Injection
A lot of times, various BBCode implementations choke security-wise due to malformed BBCode. By nesting BBCode tags it is sometimes possible to "break out" of the predefined tags.
This example comes from an exploit I found in the Joomla component Joo!BB.
IMG Tag Injection
Nested IMG Tag Injection
This is basically the IMG Tag injection above with a twist: using nested tags to achieve the injection. This is based off the vulnerability found by Julian A. Rodriguez affecting Phorum.
The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.