[WEB SECURITY] Need some help with one XSS Vector

MaXe owasp at intern0t.net
Sun May 20 00:42:51 EDT 2012


No problem, it's a common misunderstanding (for developers) to only encode
quotes (") and apostrophes (') but not backslashes (\) :-)

But the good thing is, at least they're encoding quotes and hopefully
apostrophes too (where it's appropriate), compared to like 5 years ago when
almost no one was encoding anything.


Best regards,
MaXe

On Sat, 19 May 2012 13:12:28 +0530, Chintan Dave <davechintan at gmail.com>
wrote:
> Yes actually, we were able to bypass using the same technique.
> 
> We just injected an extra slash to nullify escaping & ended the payload
> with comment
> 
> Appreciate all your help.
> 
> Sorry for brevity, sent from my iPod,
> 
> Thanks,
> Chintan
> 
> On 19-May-2012, at 12:37 PM, MaXe <owasp at intern0t.net> wrote:
> 
>> If backslashes aren't escaped properly (with a backslash), try this:
>> \');alert(/TestString/.source);//
>> 
>> This should result in:
>> <script type="text/javascript">alert('No Information is found for the
>> card
>> \\');alert(/TestString/.source);//');</script>
>> 
>> If there's two backslashes, the first one will nullify (escape) the
>> second
>> one, meaning the apostrophe won't be escaped.
>> 
>> 
>> Best regards,
>> MaXe
>> 
>> 
>> On Fri, 18 May 2012 12:04:59 +0530, Chintan Dave
<davechintan at gmail.com>
>> wrote:
>>> Hi,
>>> 
>>> I am running into one issue with XSS and was interested if there is
any
>> way
>>> I can bypass it.
>>> Following the response code where user supplied input is embedded.
Input
>> is
>>> taken via a text box.
>>> 
>>> *<script type="text/javascript">alert('No Information is found for the
>> card
>>> 1');</script>*
>>> 
>>> User supplied input *1* is highlighted in red. I am trying to break
out
>> of
>>> this alert box, however when a single quote is given as input, the
>> output
>>> is escaped using a backslash. It is as follows:
>>> *
>>> Input:*     *1'**
>>> Output:** <script type="text/javascript">alert('No Information is
found
>> for
>>> the card 1\'');</script>*
>>> 
>>> I am using IE 8 and tried using back ticks just to check if I can get
>>> around this limitation, however it did not work.
>>> Any suggestion on how to break out of this would be much helpful.
>>> 
>>> All characters except the *single quote, <!-- and </script>* are
>> working.
>>> Using a
>>> 
>>> I tried the following vector to escape out:
>>> 
>>> *Input:*     *1`);alert(1);(`'**);**
>>> Output:** <script type="text/javascript">alert('No Information is
found
>> for
>>> the card 1`);alert(1);(`');</script>
>>> 
>>> *Appreciate* *your help and support in advance.
>>> *
>>> *Thanks,*
>>> *




More information about the websecurity mailing list