ush.it - a beautiful place

XSS Cheat Sheet: the PLAINTEXT tag

June 10, 2007 at 10:21 pm - Filed under Hacks, Language EN - 775 words, reading time ~2 minutes - Permalink - Comments

When performing XSS attacks often happens that the payload is displayed, and executed, multiple times occurring in unwanted and unexpected behaviors. This can be avoided in many ways, for example using global variables in JS (eg: window['started'] = true;) and checking for the variable existence at the very beginning of the payload, but when the filters are crazy and every char requires a notable effort (or when you are just hurry) one cheat gets the job done: the <PLAINTEXT> tag.

PLAINTEXT display rest of document as-is and in modern browsers can be referred as The Unstoppable Monster since there is no </PLAINTEXT> making the tag irreversible and showing the remaining HTML source with the last rendering settings using a monospaced font.

This is an obsolete tag that has been replaced by the PRE tag. It's behavior can be very odd on some browsers, including recent browser versions (some browsers do not recognize the closing tag, thus everything after the opening <PLAINTEXT> is rendered as plain text, including the closing BODY and HTML tags. [http://www.mountaindragon.com/html/plaintxt.htm]

This is an obsolete HTML element: <plaintext>
It was used to indicate the end of the html part of a document. It has been replaced by
The HTML 3.2 standard, suggests, probably incorrectly, that this is equivalent to <pre>.

This means that on browsers equal or greater than IE4 and NN3 or OP2 (the 99.9% if the browsers used today) the PLAINTEXT HTML tag can't be closed. On earlier browser versions (IE3 for example) the closing tag is honored. AFAIK there is no major browser that doesn't support the opening tag also in it's earliest versions.

Combined with setting the font color equal to the current background color, it can be used to neuter any html directive including javascript that a nosy hosting service may append to your page. Deprecated since HTML 2.0 but still functional in most browsers!

Extending this concept and with little use of CSS you can escape and hide ALL the page contents below the first PLAINTEXT tag (ex: placed at the end of the payload) using CSS the display propriety to none (display:none;) as shown by the testbed below:

ascii@asciinb ~ $ cat test.html
PAYLOAD<plaintext style="display:none;">/plaintext>

We close the tag so XHTML validation still succed :) but recent
browsers will ignore it. In dubt remove the closing tag.

PAYLOAD<plaintext style="display:none;">

Original page contents after the first XSS injection.

Browsers compatibility notes:

IE3, MOS3 interpret it as a container tag that switches off the interpretation of HTML mark up until a </plaintext> tag is encountered. ARA, NN3 and OP2 interpret it as equivalent to meaning that from the tag to the end of the document, do not interpret HTML mark up at all. [http://www.scit.wlv.ac.uk/encyc/plaintext.html]

Technical informations:

W3C HTML Compatibility:

HTML 2.0: Obsolete
HTML 3.0/3.2: Deprecated
HTML 4.0: Not listed
XHTML: Not listed

Support: IE, FF, MOS, ARA, NN, MOZ, OP.

CSS 'display' Type: "block"
Default Rendering: Fixed-width font, further tag parsing halted

DTD Note: This element is listed as an "Obsolete Element" in the HTML 2.0 DTD. It is still listed under "Deprecated Elements" in the expired HTML 3.0 draft and HTML 3.2 recommendation and is still understood by some browsers.

There is little reason why this element should ever be used.

Use at your own risk. Because the support and syntax are so erratic between browsers, consistent behavior can never be guaranteed.

All Opera versions, and Netscape up to version 6.0 support the original PLAINTEXT specification which did not accept a closing tag.

Internet Explorer up to version 3, Netscape 6.1+ and all Mosaic versions provide for a closing tag. A closing tag would allow placement in regions other than the end of a HTML document.

Internet Explorer 4.0x (IE4)/4.01 (SP2) does not close the <PLAINTEXT> container like Internet Explorer 3.0x does.

Reference:

http://support.microsoft.com/kb/182733
http://www.blooberry.com/indexdot/html/tagpages/p/plaintext.htm
http://everything2.com/index.pl?node=plaintext
http://www.intertwingly.net/blog/2006/03/28/plaintext
http://www.tbray.org/ongoing/When/200x/2006/03/28/Sam-Destroys-the-Internet

Reed's Alert! Got something burning? Tell USH team.
THP USH Wisec DigitalBullets