VBScript to Rule IE

SANS have published a report on VBScript malware and related things. The report was mentioned on ha.ckers.org which was followed by a small discussion on various ways of injecting VBScript, executing statements, etc.

Most of you probably know what VBScript is. For sure, it is no a popular option among web application developers because it works on Internet Explorer only. However, it is a perfect solution for injecting malicious code (XSS) inside dynamically generated web pages via a server side script or DOM. I have used VBScript in the past, and I must say that large portion of web applications successfully sanitize JavaScript but fails to do the same with VBScript. Why is that people? Internet Explorer is still the most popular browser in the world.

If you haven’t played with VBScript in the past, expect to see a language which is quite similar to Ruby. It is lite and easy to use. One particular difference between VBScript and JavaScript is that the later terminates each statement with semicolon. VBScript cannot do that, which means that in theory you shouldn’t be able to make one-liners like in JavaScript. That’s not true.

In a few simple steps you can put several lines of VBScript code in a single line. For example, use the following URL in your Internet Explorer two show to alert boxes (MsgBox in VBScript).

vbscript:Execute(chr(77) & chr(115) & chr(103) & chr(66) & chr(111) & chr(120) & chr(40) & chr(34) & chr(66) & chr(108) & chr(97) & chr(34) & chr(41) & chr(13) & chr(10) & chr(77) & chr(115) & chr(103) & chr(66) & chr(111) & chr(120) & chr(40) & chr(34) & chr(66) & chr(108) & chr(97) & chr(34) & chr(41))

This is probably the safest way to do this sort of things although with the help of some URL encoding magic you can achieve similar result. Notice that each line is connected with chr(13) & chr(10), which is the familiar LF CR sequence.

You cannot execute VBScript on about:blank in Internet Explorer 7. To test the expression, go to some random page and then place the code in your address bar.

This sort of thing can be applied in many situations. Many often, web applications sanitize URLs that start with the keyword javascript: and leaves everything else. If you use the vbscript: protocol you can bypass this restriction, which creates a XSS exploitable condition. This is one type of scenario and be sure that you can do a lot more then that.

VBScript has access to DOM as well. For example, you can access Document.cookie and Document.location. You can do XML HTTP requests and do almost everything you can think of.

Long story short, it is important to know about VBScript and its capabilities because as long Internet Explorer supports it and you are planning to support Internet Explorer, you have to deal with it. Do not implement black listing XSS filters. They can all be escaped with a few tricks.

All I want to say is that VBSript is here to stay and it will be widely used to bypass secure XSS filters. Be aware of it, and be prepared.

Comments

Aviv responds:

The equivalent for the javascript’s semicolon (;) in vbscript is a colon (:).
Even though I wasn’t able to use it directly in the address bar (at-least on my Vista’s IE7), it worked in the Execute statement instead of the CrLf chars.

pdp responds:

cool, I didn’t know about that. thanks.

Awesome AnDrEw responds:

I’ve been utilizing VBScript since 2001 knowing full well it only renders in Internet Explorer, which as pointed out in the above article is still the most popular browser. Another thing to be noted about VBScript is its case insensitivity when it comes to statements. What sucks about VBScript though is that all variables remain variants (I believe they remain that way even after appending them with an abbreviation such as “$” for strings, “%” for integers, and so forth) even with Option Explicit (which forces you to declare variables).

pdp responds:

Awesome, you know what people say about VBScript and in particular VBasic: once you learn it you programming mindset will be crippled for life. That, of course, is a joke. :)

Dnupter responds:

it is so cool. i just want to know more

GNUCITIZEN Products

Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.

Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.

Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.

Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.

Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.

Visit the GNUCITIZEN Network for a complete listing of all GNUCITIZEN initiatives, products and partnering organizations.

GNUCITIZEN

Navigation

Comments

Respond

The Others

GNUCITIZEN Products

Recent Posts

Random Posts

From The Cutting-edge Network