[WEB SECURITY] XSS filter Bypass
Achim Hoffmann
websec10 at sic-sec.org
Wed May 30 15:22:37 EDT 2012
Hi Monica,
how do you know that %C0%80 will be UTF decoded?
It is fully valid URL-encoding and decodes to  if taken as Unicode.
Probably you mean some obfuscated encodings like:
%C0%BCscript
%C2%BCscript
which are accepted by some web servers (mainly old IIS) which still treat
them as 7-bit US-ASCII ignoring the high bit (to give attackers access ;-)
Cheers,
Achim
Am 30.05.2012 10:23, schrieb Mon:
> Hi,
>
> I'm no expert, but how about trying %C0%80 ('invalid 2 byte' UTF encoding
> for Null)? Does that make any difference?
>
> Br,
> --
> m0n
>
>
> On Thu, May 24, 2012 at 12:16 PM, Appsec User <pentestguy.cs at gmail.com>wrote:
>
>> Hi,
>>
>> I am probing for XSS in an application. Application has a filter which
>> triggers if I put anything after less than sign '<' except space, %
>> and >. So application accepts < character but only allows space, % and
>>> after it. So e.g < script(note space in b/w) is allowed but <script
>> will be rejected(no space). I have tested for various encoding also
>> <%00script is allowed but it puts space between < and script and
>> browser does not treat it as mark up. I cannot probe for javascript
>> events as Payloads are reflecting in HTML context not in javascript
>> context. Any suggestions how can I by-pass this filter.
More information about the websecurity
mailing list