--- layout: post status: publish published: true title: Firefox nested comment fragmented XSS wordpress_id: 273 wordpress_url: http://pro.grammatic.org/post-firefox-nested-comment-fragmented-xss-26.aspx date: !binary |- MjAwNy0wNi0xMyAxMzoyOTo1MyArMDIwMA== date_gmt: !binary |- MjAwNy0wNi0xMyAxMzoyOTo1MyArMDIwMA== categories: - Technology - InfoSec tags: - information security - XSS comments: [] ---

Following on from a post on sla.ckers it emerges that Firefox has a vulnerability/bug that is very difficult to filter against and allows a fragmented XSS attack.

This is best illustrated by the following example:

{% highlight html %} test link {% endhighlight %}

The conditions for the XSS working are 2 injection points. Injection point 1 must be inside an HTML comment whilst injection point 2 is inside a double quoted attributed. Here is the above markup replaced to illustrate this:

{% highlight html %} {% endhighlight %}

If the first injection point is given as "--" (no quotes) then a nested comment is begun. Injection point 2 should contain --> or --ANYTHING> (which is rendered as a valid comment closing tag in Firefox) to close the comment. At this point the input is being written directly into the document rather than inside the attribute - and all without using the " character which is likely to be filtered.

Thanks to tx and thornmaker at sla.ckers for work on this!