Skip to content

Instantly share code, notes, and snippets.

@tacomanator

tacomanator/gist:3127271

Created July 17, 2012 05:00
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tacomanator/3127271 to your computer and use it in GitHub Desktop.
Save tacomanator/3127271 to your computer and use it in GitHub Desktop.
Download ZIP
Firefox 3D view helps spot application vulnerabilities
Raw
gistfile1.md

Firefox 3D view helps spot application vulnerabilities

A colleague and I were checking out the 3D view now built into Firefox. What a nifty way to visualize the page structure! Well, it turns out it also helped us discover a vulnerability in our web app. In particular, a bit of untrusted user input that we forgot to encode before outputting. Read on to find out how.

Why this is important

Care must be taken to encode all untrusted input before displaying it back to the user. Attackers can take advantage of unencoded output to embed malicious tags and run arbitrary scripts on another users' computer. While this is less of a risk when data is not shared among multiple users, one should still carefully encode output.

How 3D view helps

In 3D view, the typical 2D representation of the page is rendered into a 3D element sandwich, with elements stacked based on their arrangement in the DOM. Ever played Mahjong Solitaire? It looks a little like that.

Anyway, we tested 3D view on a page with a few data grids. It just so happens that one of the grids didn't encode one column with user inputted data. This wasn't obvious at all in 2D mode because we were not specifically checking for it. In 3D view, however, we noticed that one particular item in this grid looked different than the others. It stuck out like a sore thumb because the stack under this cell was one level higher than the surrounding cells.

Consider the following table:

<table style="border-collapse:collapse">
<tr>
	<td>user data</td>
	<td>user data</td>
	<td>user data</td>
	<td>user data</td>
	<td>user data</td>
</tr>
<tr>
	<td>user data</td>
	<td><malicious>user data</malicious></td>
	<td>user data</td>
	<td>user data</td>
	<td>user data</td>
</tr>
<tr>
	<td>user data</td>
	<td>user data</td>
	<td>user data</td>
	<td>user data</td>
	<td>user data</td>
</tr>
</table>

The <malicious> tag embedded within will be interpreted by the browser, but won't be visible to the user because it typically has no meaning in HTML. You can see this in the following fiddle:

http://jsfiddle.net/tacomanator/xyC2D/2/

Now, in the latest Firefox:

  • Open the fiddle
  • Open the inspector (e.g. right click on the page and click Inspect Element)
  • Turn on the 3D view (bottom right corner)

The difference should be obvious:

We quickly patched the cell that was missed and checked on the page for others. Thus, 3D view helped us discover an XSS vulnerability in our app. Obviously this is not a substitute for explicitly testing for such vulnerabilities. However, it does make me happy that we have another tool to increase the odds of finding a potential problem such as this.

@LouCypher
Copy link

Nice snippet article. I wonder why didn't you write it on your blog or somewhere? ┐(・_・?)

@tacomanator
Copy link
Author

Thanks. I don't have a blog with the same target audience as this article was written for, so I thought why not put it here. Also linked to HN: http://news.ycombinator.com/item?id=4255664

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment