![]() DOM tree created after pasting depended on the exact place in which the paste occurred. I noticed an interesting peculiarity when pasting an HTML code with a element. The first bug I identified is a universal XSS, fixed in Chromium 79 ( /1011950). In this section I’ll describe in detail a selection of clipboard sanitizer issues I identified. As a result, I found at least one sanitizer bypass in all major browsers: Chromium, Firefox, Safari, and the classic Edge. You can also use “ Copy & Paste playground” to test for XSS issues via copy&paste in external pages first copy arbitrary HTML from the playground and then paste it on an external page (or even an external application).Ĭonsidering that browsers must employ some logic behind deciding whether any HTML element or attribute should be sanitized or not, I decided to give them a look, and try to find bypasses. ![]() The view of DOM trees makes it easy to see that the browser stripped the onerror attribute after pasting. In the example in figure 1: firstly, I entered the following XSS payload in the HTML input field: secondly, I clicked “Copy as HTML” finally, I pasted it in the paste target. DOM tree is also shown for the contents of the editor so that it’s easy to compare with the left side to find out how the browser sanitized the HTML. The right side, on the other hand, contains a rich editor (or WYSIWYG editor) in which you can paste from the clipboard.Then, after clicking “Copy as HTML”, the exact HTML you entered is copied to clipboard. On the left, you can enter the HTML markup, and watch the DOM tree generated by the browser.I’ve created a simple website called “ Copy & Paste Playground” to simplify the process of looking for sanitization bugs in browsers. As a prevention method, they introduced content sanitization on pasting that is, removing elements and attributes that are considered harmful. Consider the following example:īrowser vendors are fully aware of this attack scenario. ![]() Interestingly, browsers expose API that lets you set arbitrary clipboard content from JavaScript code. This means that if you copy the following text: “hello there“, then the clipboard will contain HTML content: hello thereEven if browsers are safe from this type of bugs, JavaScript WYSIWYG editors can still introduce security issues.įinally, I believe that an attack scenario that includes copying and pasting between two browser tabs is more likely to be exploited than copying from an external application and pasting in the browser.
0 Comments
Leave a Reply. |