[WEB SECURITY] Need some help with one XSS Vector

Chintan Dave davechintan at gmail.com
Sat May 19 03:42:28 EDT 2012


Yes actually, we were able to bypass using the same technique.

We just injected an extra slash to nullify escaping & ended the payload with comment

Appreciate all your help.

Sorry for brevity, sent from my iPod,

Thanks,
Chintan

On 19-May-2012, at 12:37 PM, MaXe <owasp at intern0t.net> wrote:

> If backslashes aren't escaped properly (with a backslash), try this:
> \');alert(/TestString/.source);//
> 
> This should result in:
> <script type="text/javascript">alert('No Information is found for the card
> \\');alert(/TestString/.source);//');</script>
> 
> If there's two backslashes, the first one will nullify (escape) the second
> one, meaning the apostrophe won't be escaped.
> 
> 
> Best regards,
> MaXe
> 
> 
> On Fri, 18 May 2012 12:04:59 +0530, Chintan Dave <davechintan at gmail.com>
> wrote:
>> Hi,
>> 
>> I am running into one issue with XSS and was interested if there is any
> way
>> I can bypass it.
>> Following the response code where user supplied input is embedded. Input
> is
>> taken via a text box.
>> 
>> *<script type="text/javascript">alert('No Information is found for the
> card
>> 1');</script>*
>> 
>> User supplied input *1* is highlighted in red. I am trying to break out
> of
>> this alert box, however when a single quote is given as input, the
> output
>> is escaped using a backslash. It is as follows:
>> *
>> Input:*     *1'**
>> Output:** <script type="text/javascript">alert('No Information is found
> for
>> the card 1\'');</script>*
>> 
>> I am using IE 8 and tried using back ticks just to check if I can get
>> around this limitation, however it did not work.
>> Any suggestion on how to break out of this would be much helpful.
>> 
>> All characters except the *single quote, <!-- and </script>* are
> working.
>> Using a
>> 
>> I tried the following vector to escape out:
>> 
>> *Input:*     *1`);alert(1);(`'**);**
>> Output:** <script type="text/javascript">alert('No Information is found
> for
>> the card 1`);alert(1);(`');</script>
>> 
>> *Appreciate* *your help and support in advance.
>> *
>> *Thanks,*
>> *




More information about the websecurity mailing list