What is a Polyglot verses a JavaScript Polyglot??
- A polyglot is something or someone that is composed of elements from different languages.
- A JavaScript Polyglot is a Cross Site Scripting (XSS) vector that is executable within various injection contexts in its raw form, or a piece of code that can be executed in multiple contexts in the application. So, a JavaScript polyglot can be multiple things at once, like a JavaScript/JPEG
Why polyglot?
The biggest reason to use a polyglot is to bypass browsers Content Security Policy (CSP). "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks." (4)
The polyglot test XSS payload.
SO!! Below is an example of a polyglot BUT you'll notice that Dev.to modified it a bit as BOTH of these string I input the same. Cool right? They appear to be paying attention. =)
Kinda ugly string right? But as you can see there are HTML tags in it to try and cause some issues. Furthermore, the word Javascript is oddly cased to try and bypass the CSP. It clearly did't work.
jaVasCript:/--><svg/onload='+/"/+/onmouseover=1/+/[/[]/+alert(1)//'>
jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
This test will execute in multiple contexts including html, script string, js and url. (5)
How can you make a Javascript Polyglot?
- jaVasCript:: A label in ECMAScript; a URI scheme otherwise.
- /-/
/*\
/'/"/**/: A multi-line comment in ECMAScript; a literal-breaker sequence. - (/* */oNcliCk=alert() ): A tangled execution zone wrapped in invoking parenthesis!
- //%0D%0A%0d%0a//: A single-line comment in ECMAScript; a double-CRLF in HTTP response headers.
- : A sneaky HTML-tag-breaker sequence.
- \x3csVg/\x3e: An innocuous svg element.
Total length of a Polyglot is 144 characters. (2)
Image Polyglots and Javascript
Below is an example of a polyglot image. It looks like a normal image enough BUT the original metadata has been changed. Refer to the second image to see the specifics as to what they changed the image comment to. I honestly don't really understand it all but it's fascinating that it can be changed and used.
The code can be used to run the alert in the polyglot IF the image has been stored improperly. See the ways to prevent polyglots at the end to see about storage of images.
The code below is to execute the image as JavaScript
<script charset="ISO-8859-1" src="http://portswigger-labs.net/polyglot/jpeg/xss.jpg"></script>
Dangers of Polyglots
So, as far as my understanding, say you have a site that accepts pictures, like Instagram, and you allow users to upload pictures in general/JPEGs. If these uploads are on the same domain as your app and your CSP allows script from "self", you can bypass the CSP using a polyglot JPEG by injecting a script and pointing it to that image. (3)
Protecting against polyglots
Though not the easiest attack to set up polyglot attacks are still a relevant thing to protect against as many new developers are relying on the same dependencies on the backend and platforms to develop new apps. If one dependency becomes out of date or vulnerable then all the apps that use it are also vulnerable.
The best way to avoid a polyglot payload attack is::
- sanitizing and validate any user inputs
- avoid using the .innerHTML tag to get the information out of user inputs
- store any received images seperate from their path and meta data, like Amazon S3 bucket.
Resources
- https://www.merriam-webster.com/dictionary/polyglot
- https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot?source=post_page---------------------------
- https://portswigger.net/blog/bypassing-csp-using-polyglot-jpegs
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_Locator_.28Polygot.29
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#polyglot-xss
Top comments (2)
Hey, that's a very interesting topic! Thanks for this great article.
I think an additional away to close this XSS gap is to use more strict http headers.
For example you can use "X-Content-Type-Options" to avoid a "Mime-Type Transform" and make it more strict.
developer.mozilla.org/en/docs/Web/...
//Edit
The combination with serviceworker could also be interesting. The Cache API could enable potential MimeType sniffing / ploygot here.
Thanks for the input Ricardo! Using more strict http headers is something that I am actually looking into later one. I've heard about some issues with URL parsing that sounds interesting too. I feel like I keep hearing about serviceworkers lately too and want to look into them more also.