Payload Control Through Conditional Comments.

You probably noticed that in my last posts I went on writing about simple attack vectors and HTML features which aren't discussed very much. While it isn't high-tech material, it can be useful in any attackers toolbox for the reason that it can help in certain attacks that would not be possible otherwise. From experience, I learned that in any field you'll have to have a sense of improvisation. Forget theory, and improvise on the task at hand. One thing that caught my eye, are conditional comments that are designed for Microsoft IE[1]. Honestly, I never heard of them until today when I saw them in the source code of a website that was trying to differentiate MSIE versions for style sheets. Hm, kinda handy. So can we utilize this? yes we can. It's useful to know about conditional comments, for three reasons:

i. Conditional comments are special comments that can return the browser version.
ii. Unlike normal comments, conditional comments allow for Javascript.
iii. Conditional comments are only parsed by MSIE.

As you can see, this allows room for many ideas. One is using the conditional comments as payload vectors, and use them to bypass anti-xss filters. Another option is to utilize them for very effective payload determination, when one is dealing with vulnerabilities that only work on a specific version of MSIE. As you can see, this can be accomplished without Javascript. Since MSIE is the most attacked and abused browser when it comes down to hacking browsers, it can be critical for attackers to spread as many exploits as possible for as many different versions of MISE without breaking their own code. Conditional comments allow for this in a very reliable way.

Below an example of spreading payload inside a conditional comment:

<!--[if IE]>

<script>alert('IE ALL');</script>

<![endif]-->

<!--[if IE 5]>

<script>alert('5');</script>

<![endif]-->

<!--[if IE 5.0]>

A<script>alert('5.0');</script>

<![endif]-->

<!--[if gte IE 5]>

<script>alert('>= 5');</script>

<![endif]-->

<!--[if lte IE 5.5]>

<script>alert('<= 5.5');</script>

<![endif]-->

<!--[if IE 5.5]>

<script>alert('5.5');</script>

<![endif]-->

<!--[if IE 6]>

<script>alert('6');</script>

<![endif]-->

<!--[if lt IE 6]>

<script>alert('< 6');</script>

<![endif]-->

<!--[if gt IE 6]>

<script>alert('> 6');</script>

<![endif]-->

<!--[if IE 7]>

<script>alert('7');</script>

<![endif]-->

Operator table.

IE	[if IE] The only currently supported feature is the string "IE", corresponding to Internet Explorer.

value	[if IE 7]	An integer or floating point numeral corresponding to the version of the browser. Returns a Boolean value of true if the version number matches the browser version. For more information, see Version Vectors. 

!	[if !IE]	The NOT operator. This is placed immediately in front of the feature, operator, or subexpression to reverse the Boolean meaning of the expression.

lt	[if lt IE 5.5]	The less-than operator. Returns true if the first argument is less than the second argument.

lte	[if lte IE 6]	The less-than or equal operator. Returns true if the first argument is less than or equal to the second argument.

gt	[if gt IE 5]	The greater-than operator. Returns true if the first argument is greater than the second argument.

gte	[if gte IE 7]	The greater-than or equal operator. Returns true if the first argument is greater than or equal to the second argument.

( )	[if !(IE 7)]	Subexpression operators. Used in conjunction with boolean operators to create more complex expressions. 

&	[if (gt IE 5)&(lt IE 7)]	The AND operator. Returns true if all subexpressions evaluate to true

|	[if (IE 6)|(IE 7)]	The OR operator. Returns true if any of the subexpressions evaluates to true.

true	[if true]	Always evaluates to true.

false	[if false]	Always evaluates to false.

[1] http://msdn.microsoft.com/en-us/library/ms537512(VS.85).aspx
source: OWASP News