XMLHttp.response source detection depends on sink

[TAI-ing]

I observe that taint flows with XMLHttp.response as source are not detected for each sink.
For example, if sink is document.write taint flow is not recognized.

On the following page, the taint flow XMLHttp.response => document.write is not recognized (XSS vulnerability was verified manually and taint flow is detected with innerHtml and eval as sinks)

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
</head>

<body>
    <h1>Reflected XSS via XMLHttpRequest.response</h1>
    <script>
        var payload = decodeURIComponent(location.hash.substring(1))

        // create a new XMLHttpRequest object
        var xhr = new XMLHttpRequest();
        // localhost URL to send the request to
        var url = payload;
        // open a GET request to the URL
        xhr.open('GET', url, true);
        // set the response type to text
        xhr.responseType = 'text';

        // define what happens on successful data submission
        xhr.onload = function () {
            if (xhr.status >= 200 && xhr.status < 300) {
                console.log('Request successful:', xhr.responseText);

                // taint flow not detected
                document.write(xhr.responseText);
                // taint flow detected
                // document.body.innerHTML = xhr.responseText;
                // taint flow detected
                // eval(xhr.responseText);
            } else {
                console.error('Request failed with status:', xhr.status);
            }
        };

        // send the request
        xhr.send();

    </script>
</body>

</html>

[tmbrbr]

Hi @TAI-ing, thanks for your interest in Foxhound!

This sounds a bit strange - can I ask which version of Foxhound you were using? We saw a couple of taint loss issues (#290) last week, most of which should be fixed in #291.

If you haven't done so already, can you re-check with the latest version main.

[TAI-ing]

I'm using the latest hosted binary with playwright (https://foxhound.ias.tu-bs.de/)
Seems to be outdated (d5957fe)
I will test the latest version as soon as it is available there.

[leeN]

I've triggered a rebuild for the tu-braunschweig.de hosted ones, so new binaries should be available in the next 2-3h.

[leeN]

Sorry, there was a distinct lack of WiFi on the train, will upload new builds tomorrow.

[leeN]

So, there is a build available matching the current HEAD of main here. Sorry for the delay, I fixed an issue where Playwright was updated beyond what's supported by the current Foxhound version in the template.

[TAI-ing]

Thank you @leeN
I have tested again with the latest version and can confirm that the observed behavior remains.

[leeN]

That's super interesting; thanks a lot! Do you have a simple PHP script for the backend page to simplify testing?

Because that looks like a clear bug and is surely not intended :/

[TAI-ing]

I'm using node.js server for testing. But to simply test this, I would recommend the following:

• create html file with provided code (e.g. pageToInvestigate.html ) and put in a test folder
• create remoteLoading file with text in that folder (e.g. remoteLoading.html):

<script>alert("remote loaded payload")</script>;

• host the folder using python:

cd ./path/to/testFolder
python3 -m http.server 8000

• investigate page using url:

http://localhost:8000/pageToInvestigate.html#http://localhost:8000/remoteLoading.html

[leeN]

Hey, I've added test cases to replicate the reported behavior in #298. The "server" is here and the taint propagation tests are here.

The test is slightly buggy because Mochitest does not correctly detect all sink invocations, but based on the terminal output, it should end up in the sink properly. Can you quickly review the test to see whether I'm missing something?

[TAI-ing]

Hey, test looks good to me. But I don't understand why document.writeln is commented out.

[leeN]

Ah, sorry, that was an oversight. Some sink name checks were not executed, and I suspect it was due to document.write() changing the execution context. This is fixed now on that branch.