[WEB SECURITY] Need some help with one XSS Vector

MaXe owasp at intern0t.net
Sat May 19 03:07:52 EDT 2012


If backslashes aren't escaped properly (with a backslash), try this:
\');alert(/TestString/.source);//

This should result in:
<script type="text/javascript">alert('No Information is found for the card
\\');alert(/TestString/.source);//');</script>

If there's two backslashes, the first one will nullify (escape) the second
one, meaning the apostrophe won't be escaped.


Best regards,
MaXe


On Fri, 18 May 2012 12:04:59 +0530, Chintan Dave <davechintan at gmail.com>
wrote:
> Hi,
> 
> I am running into one issue with XSS and was interested if there is any
way
> I can bypass it.
> Following the response code where user supplied input is embedded. Input
is
> taken via a text box.
> 
> *<script type="text/javascript">alert('No Information is found for the
card
> 1');</script>*
> 
> User supplied input *1* is highlighted in red. I am trying to break out
of
> this alert box, however when a single quote is given as input, the
output
> is escaped using a backslash. It is as follows:
> *
> Input:*     *1'**
> Output:** <script type="text/javascript">alert('No Information is found
for
> the card 1\'');</script>*
> 
> I am using IE 8 and tried using back ticks just to check if I can get
> around this limitation, however it did not work.
> Any suggestion on how to break out of this would be much helpful.
> 
> All characters except the *single quote, <!-- and </script>* are
working.
> Using a
> 
> I tried the following vector to escape out:
> 
> *Input:*     *1`);alert(1);(`'**);**
> Output:** <script type="text/javascript">alert('No Information is found
for
> the card 1`);alert(1);(`');</script>
> 
> *Appreciate* *your help and support in advance.
> *
> *Thanks,*
> *




More information about the websecurity mailing list