0

On a particular page in this application, we have a form which allows for a very select few to input data into it, because at the end of the day (and, well, event loop) we end up wrappping that input in to an eval which we highly sanitize and whitelist. This character however seems to bypass everything yet javascript seems to catch it with this error message

17:05:49.226 illegal character U+200B

So after looking into it, that is obviously the infamous Zero-width space character. Digging into it, it appears one of our users intentionally or accidently added it to the input field. I we are seeing it in a few different areas, can anyone help me understand what vector could be exploited, or what I should be looking for in regards to this? The resources i've found are here, but I can't seem to find anything directly relating to an exploit.

Ruby Talk VS Code Extension that helped track it down

You can clearly see it is inserted here:

Zero-width character showing in console

Any advice / help would be appreciated, thanks in advance.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
ruevaughn
  • 123
  • 4
  • 1
    "[W]e highly sanitize and whitelist...." Seemingly not at the character level, since this unwanted character is getting though. "You can clearly see it is inserted here..." It is amusing that you think we can "clearly see" a zero-width character. :) – hft Jan 29 '21 at 00:54
  • That being said... Do you have more information about what character you do need to allow through? Can you whitelist at the character level to only allow those characters? – hft Jan 29 '21 at 00:55
  • The error happens when you don't properly sanitize before executing untrusted code. So clearly your (unknown) sanitizing code is not sufficient. What can happen if you don't properly sanitize - depends on what exact problems your sanitizer has, i.e. is this really the only issue? And is the character passed through in all cases? We know nothing about the sanitizer. Also, I don't see any relationship to *steganography* and *ruby* in your question (apart from some link with unknown content behind it), so I've removed these tags. – Steffen Ullrich Jan 29 '21 at 06:45
  • `input.replace(/[^\ -\~]/g,"")` keeps you safe from anything too weird, you might want to black list a few specials after this filter... – dandavis Jan 29 '21 at 07:24
  • how well do you sanitize? `constructor.constructor("alert(666)")()` – dandavis Jan 29 '21 at 07:26
  • I will test these fine template injections you guys have so graciously provided and report back – ruevaughn Feb 01 '21 at 18:03
  • We did write our own black list. So Basically this can lead to templace injection by breaking out of the sandbox and causing odd behavior causing xss and friends, right? – ruevaughn Feb 01 '21 at 18:04

0 Answers0