[WEB SECURITY] Need some help with one XSS Vector

Jeff Williams planetlevel at gmail.com
Tue May 22 16:58:01 EDT 2012


What happens when you send </script>. Why doesn't it work?  Is escaped or validated?  Can you bypass validation?

--Jeff



On May 21, 2012, at 1:49 PM, Spam Catcher <rrspam at hotmail.co.uk> wrote:

> You could try using http://www.w3schools.com/jsref/jsref_fromcharcode.asp
> 
> Then you should not need to include any ' in your string and the app will hopefully not add anything to break the javascript.
> 
> -----Original Message-----
> 
> From: Aaron Devaney
> Sent: 21 May 2012 16:14:12 GMT
> To: websecurity at lists.webappsec.org
> Subject: Re: [WEB SECURITY] Need some help with one XSS Vector
> 
> Hi,
> Have you tried using a slash before the single quote so that the escape
> is performed on the slash that is escaping the quote?
> 
> So in your example you could try        \' + document.cookie;//
> 
> Which then might give the following
> 
> <script type="text/javascript">alert('No Information is found for the
> card 1\\'+ document.cookie);//');</script>
> 
> I didn't test it but it looks like it might work depending on how the
> filter is working.
> 
> Regards
> Aaron
> 
> -----Original Message-----
> From: websecurity-bounces at lists.webappsec.org
> [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of
> websecurity-request at lists.webappsec.org
> Sent: 19 May 2012 04:15
> To: websecurity at lists.webappsec.org
> Subject: websecurity Digest, Vol 17, Issue 6
> 
> Send websecurity mailing list submissions to
>        websecurity at lists.webappsec.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
> org
> 
> or, via email, send a message with subject or body 'help' to
>        websecurity-request at lists.webappsec.org
> 
> You can reach the person managing the list at
>        websecurity-owner at lists.webappsec.org
> 
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of websecurity digest..."
> 
> 
> Today's Topics:
> 
>   1.  Need some help with one XSS Vector (Chintan Dave)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 18 May 2012 12:04:59 +0530
> From: Chintan Dave <davechintan at gmail.com>
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Need some help with one XSS Vector
> Message-ID:
> 
> <CAL9x60qFTJPzh7g1CehONBDm3oJWYrQ7vmzpTS5BBfcwMB_NHg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> I am running into one issue with XSS and was interested if there is any
> way I can bypass it.
> Following the response code where user supplied input is embedded. Input
> is taken via a text box.
> 
> *<script type="text/javascript">alert('No Information is found for the
> card
> 1');</script>*
> 
> User supplied input *1* is highlighted in red. I am trying to break out
> of this alert box, however when a single quote is given as input, the
> output is escaped using a backslash. It is as follows:
> *
> Input:*     *1'**
> Output:** <script type="text/javascript">alert('No Information is found
> for the card 1\'');</script>*
> 
> I am using IE 8 and tried using back ticks just to check if I can get
> around this limitation, however it did not work.
> Any suggestion on how to break out of this would be much helpful.
> 
> All characters except the *single quote, <!-- and </script>* are
> working.
> Using a
> 
> I tried the following vector to escape out:
> 
> *Input:*     *1`);alert(1);(`'**);**
> Output:** <script type="text/javascript">alert('No Information is found
> for the card 1`);alert(1);(`');</script>
> 
> *Appreciate* *your help and support in advance.
> *
> *Thanks,*
> *
> --
> Regards,
> Chintan Dave
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/at
> tachments/20120518/99cea031/attachment-0001.html>
> 
> ------------------------------
> 
> _______________________________________________
> websecurity mailing list
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
> org
> 
> 
> End of websecurity Digest, Vol 17, Issue 6
> ******************************************
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list