Self-contained XSS Attacks
The essence of all Cross-site scripting (XSS) attacks is
unsanitized verbosity. Not a very good name!
:) In that respect every application that simply echoes input is vulnerable and can be potentially exploited by attackers to steal session identifiers, trick the user into performing some malicious activity, gather important information, etc.
XSS attacks can be persistent and non-persistent. Persistent XSS is more dangerous since it allow attackers to control exploited clients for longer. On the other hand non-persistent XSS is considered less dangerous although it has been widely used in many phishing attempts.
In this article I am planning to introduce you to some of my findings around a new attack vector which is of type non-persistent XSS but a lot more dangerous than the persistent one. This method can be used to successfully bypass some mail filters, XSS filters, application firewalls and sanitization functions. In fact if you are previewing this post with an RSS reader that is vulnerable you may try clicking on the following link which will result in a harmless greeting alert box.
Some of you might be familiar with this attack vector; this subject has been covered very vaguely in the past and none of its full potentials has been explored. The impact of this attack is much bigger today and could affect many web applications.
Self-contained XSS explains it all. It is a Cross-site scripting attack that does not require vulnerable web resource to echo input. Everything that is needed is contained in a single URL. Once this URL is executed the resource will be automatically assembled.
The URL must be prefixed with the data: protocol and follow special syntax. There are many protocols in modern browsers such as
http:, https:, ftp: and about: but data: seams to be the most functional one because it could potentially enable rich AJAX applications to generate PDF, DOC, MP3, etc formats without the need of server side scripts. The specifications of this protocol were outlined in 1998 rfc2397 by Xerox Corporation.
This issue is mainly related to Firefox, Opera and probably other browsers. IE6 and IE7 are not affected in that respect although, due to the fact that they cannot process
data: urls. However, it is believed that there are might be other means of achieving the same result. Keep in mind that this is not a vulnerability but rather a feature.