Menu

#2 NULL Bytes within an HTML response breaks 3.2.9 reporting

open
nobody
None
2
2006-04-24
2006-03-24
Strace
No

Hello,

I have been developing a number of custom plugins for
version 3.2.9 that test for types of XSS filter
evasion. I have noticed that plugins that inject Null
bytes break reporting when they are successful, i.e.
when the attack succeeds and the XSS works, the
following will be contained in the html:

<SCR[null]IPT>alert('Paros')</SCR[null]IPT>

Within the plugin itself, I am injecting the null
byte with the \u0000 unicode representation.

The presence of the null bytes within the HTML causes
Paros not to generate a report. It will scan and
identify the security issue, and you can view the
request and response, but when generating an HTML
report, the report never appears.

I have compensated by putting those into a separate
category for now, called "Manual Report", and
bascially look visually at the HTML output to see if
the attacks succeeed.

I have looked through the 3.2.9 source but I'm unable
to track down the problem.

To verify this problem,

1. modify an XSS plugin as shown below:

private static final String XSS1
= "<SCR\u0000IPT>alert('" + Constant.getEyeCatcher()
+ "')</SCR\u0000IPT>";

private static final Pattern patternXSS1
= Pattern.compile
("<SCR\u0000IPT>alert\\('" + Constant.getEyeCatcher()
+ "'\\)</SCR\u0000IPT>");

2. Run the plugin on an XSS vulnerable target, so
that the nulls appear within the body of the HTML
returned from the target. (If you need a server
that's vulnerable to this, I can point out servers
and versions for your testing).

3. Generate the report. The process of report
generation should fail silently and the report should
never appear.

Hope this helps. If you need additional information,
I can put together some screen shots for you or even
send you one of my plugins that causes this problem.

thanks

-tom

Discussion

  • Strace

    Strace - 2006-03-24

    Logged In: YES
    user_id=1485211

    I have attached a PDF that shows some screenshots and
    offers a quick explanation.

     

  • Mike

    Mike - 2006-03-25

    Logged In: YES
    user_id=810965

    Can you provide the complete stacktrace (by starting Paros
    using command line)? There should be some exception
    generating during report generation.

    parosproxy.org

     

  • Strace

    Strace - 2006-03-25

    Logged In: YES
    user_id=1485211

    C:\Documents and
    Settings\sterling\Desktop\Sobakawa\paros\build>cd paros

    C:\Documents and
    Settings\sterling\Desktop\Sobakawa\paros\build\paros>java -
    jar
    paros.jar
    file:/C:/Documents%20and%
    20Settings/sterling/Desktop/Sobakawa/paros/build/paros/
    paros.jar
    file:/C:/Documents%20and%
    20Settings/sterling/Desktop/Sobakawa/paros/build/paros/
    paros.jar

    [Fatal Error] :419:27: An invalid XML character (Unicode:
    0x0) was found in the element content of the document.
    org.xml.sax.SAXParseException: An invalid XML character
    (Unicode: 0x0) was found in the element content of the
    document.

    at
    com.sun.org.apache.xerces.internal.parsers.DOMParser.parse
    (Unknown Source)
    at
    com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl
    .parse(Unknown Source)
    at
    org.parosproxy.paros.extension.report.ReportGenerator.strin
    gToHtml(Unknown Source)
    at
    org.parosproxy.paros.extension.report.ReportLastScan.genera
    te(Unknown Source)
    at
    org.parosproxy.paros.extension.report.ReportLastScan.genera
    te(Unknown Source)
    at
    org.parosproxy.paros.extension.report.ExtensionReport$1.act
    ionPerformed(Unknown Source)
    at javax.swing.AbstractButton.fireActionPerformed(Unknown
    Source)
    at javax.swing.AbstractButton$Handler.actionPerformed
    (Unknown Source)
    at javax.swing.DefaultButtonModel.fireActionPerformed
    (Unknown Source)
    at javax.swing.DefaultButtonModel.setPressed(Unknown
    Source)
    at javax.swing.AbstractButton.doClick(Unknown Source)
    at javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown
    Source)
    at
    javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseRelease
    d(Unknown Source)
    at java.awt.Component.processMouseEvent(Unknown Source)
    at javax.swing.JComponent.processMouseEvent(Unknown Source)
    at java.awt.Component.processEvent(Unknown Source)
    at java.awt.Container.processEvent(Unknown Source)
    at java.awt.Component.dispatchEventImpl(Unknown Source)
    at java.awt.Container.dispatchEventImpl(Unknown Source)
    at java.awt.Component.dispatchEvent(Unknown Source)
    at java.awt.LightweightDispatcher.retargetMouseEvent
    (Unknown Source)
    at java.awt.LightweightDispatcher.processMouseEvent
    (Unknown Source)
    at java.awt.LightweightDispatcher.dispatchEvent(Unknown
    Source)
    at java.awt.Container.dispatchEventImpl(Unknown Source)
    at java.awt.Window.dispatchEventImpl(Unknown Source)
    at java.awt.Component.dispatchEvent(Unknown Source)
    at java.awt.EventQueue.dispatchEvent(Unknown Source)
    at java.awt.EventDispatchThread.pumpOneEventForHierarchy
    (Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy
    (Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.run(Unknown Source)

     

  • Mike

    Mike - 2006-04-21

    Logged In: YES
    user_id=810965

    This is not a fault of Paros reporting. You should encode
    the display in this case because the XML SAX generator
    cannot parse the \u0000 instead.

    parosproxy.org

     

  • Mike

    Mike - 2006-04-24
    • priority: 5 --> 2
     

Log in to post a comment.