CTRL+C + CTRL+V = XSS
Quirks in the copy and paste functionality used by web browsers, text editors, and websites can be abused to execute cross-site scripting (XSS) attacks and data exfiltration, a security researcher has discovered.
Users put themselves at risk if they copy content from malicious sites to their clipboard, then paste that data to a WYSIWYG editor within a legitimate website.
The researcher, who also discovered an XSS flaw in CKEditor this year, won bug bounties totaling more than $30,000 after unearthing four security issues in web browsers and five vulnerabilities in rich-text editors.
Building on ‘Copy and Pest’
Bentkowski, who is chief security researcher at Polish cybersecurity outfit Securitum, said his work built on 2015 research from Mario Heiderich, who showed how copying data from non-browser applications like LibreOffice or Microsoft Word and pasting it into browsers could lead to XSS.
“Every popular WYSIWYG editor handles the paste event by itself” in order to remove dangerous elements, properly handle content from popular editors, and normalize pasted elements.”
Bentkowski also demonstrated that “copying and pasting between two browser tabs is more likely to be exploited than copying from an external application and pasting in the browser.”
His research focused on formatted text, “since it is equivalent to HTML markup in the world of browsers”.
Sanitizer bypass bonanza
Bentkowski, who has created a ‘Copy & Paste Playground’ to allow bug hunters to explore the “enormous attack surface”, found at least one sanitizer bypass in the Chromium, Firefox, Safari, and Edge browsers.
A second Chromium bug leaked CSS data from the page, including session tokens or a user’s personal information. Another video demonstrating the exploit within Gmail netted Bentkowski a huge $10,000 reward.
Two Firefox flaws, meanwhile, centered on the pasting of stylesheets from the clipboard.
Outlined in more depth in research he published in February, the researcher demonstrated that you can leak data via CSS with a single injection point, while he showed how a mutation XSS to Firefox affected Aloha Editor, among other rival tools.
Visual editor zero-day
Bentkowski told The Daily Swig that a flaw in the Froala WYSIWYG HTML editor remains a zero-day vulnerability.
“Froala is guilty of carrying out extensive HTML processing using regular expressions and string processing”, he said in his post. This was cited as “another fine example that processing HTML as strings is almost always a bad idea.”
Bentkowski has created a Closure playground for a flaw in Google’s Closure Library sanitizer that affects Gmail users, but is exploitable only in conjunction with a browser bug.
An exploit successfully levied against Google Docs used a non-HTML content type and could be mounted via DOM clobbering as well as XSS.
Another, unnamed application was also vulnerable to the flaw, which reflects the fact that “certain editors let the browsers do the initial sanitization and then perform some operations on pre-sanitized content.”
Developers of CKEditor, meanwhile, fixed a vulnerability Bentkowski found in CKEditor 4.
“I have shown that pasting content from clipboard appears to be an underestimated attack vector,” Bentkowski said in his research post.
Describing the “specification of Clipboard APIs” as “extremely vague on sanitizing content on pasting”, he urged browser vendors to develop specific sanitization rules that “are safe and consistent” across all browsers.
He told The Daily Swig: “I expect more attacks in the coming months. I hope that my research will raise awareness and make more people report bugs in WYSIWYG editors because my impression is that they’re not well protected against these types of attacks in general.”