[WEB SECURITY] XSS filter Bypass

Daniel Herrera daherrera101 at yahoo.com
Wed May 30 17:01:43 EDT 2012


I believe there are many character representations we could provide as additional examples to test, but ultimately without more data from the individual asking the question we are limited in the amount of insight we can provide.

Filter bypass has a wide spectrum of techniques, many targeting default behavior for specific versions of client-side and server-side software.

I don't believe reciting them all on this thread would be as beneficial as targeted advice based on the observations made by the tester.

My 2 cents.


D

--- On Wed, 5/30/12, Achim Hoffmann <websec10 at sic-sec.org> wrote:

> From: Achim Hoffmann <websec10 at sic-sec.org>
> Subject: Re: [WEB SECURITY] XSS filter Bypass
> To: "Mon" <mon.ver85 at gmail.com>
> Cc: websecurity at lists.webappsec.org
> Date: Wednesday, May 30, 2012, 12:22 PM
> Hi Monica,
> 
> how do you know that %C0%80 will be UTF decoded?
> It is fully valid URL-encoding and decodes to À if taken as
> Unicode.
> 
> Probably you mean some obfuscated encodings like:
>   %C0%BCscript
>   %C2%BCscript
> 
> which are accepted by some web servers (mainly old IIS)
> which still treat
> them as 7-bit US-ASCII ignoring the high bit (to give
> attackers access ;-)
> 
> Cheers,
> Achim
> 
> Am 30.05.2012 10:23, schrieb Mon:
> > Hi,
> > 
> > I'm no expert, but how about trying %C0%80 ('invalid 2
> byte' UTF encoding
> > for Null)? Does that make any difference?
> > 
> > Br,
> > --
> > m0n
> > 
> > 
> > On Thu, May 24, 2012 at 12:16 PM, Appsec User <pentestguy.cs at gmail.com>wrote:
> > 
> >> Hi,
> >>
> >> I am probing for XSS in an application. Application
> has a filter which
> >> triggers if I put anything after less than sign
> '<' except space, %
> >> and >. So application accepts < character but
> only allows space, % and
> >>> after it. So e.g < script(note space in b/w)
> is allowed but <script
> >> will be rejected(no space). I have tested for
> various encoding also
> >> <%00script is allowed but it puts space between
> < and script and
> >> browser does not treat it as mark up. I cannot
> probe for javascript
> >> events as Payloads are reflecting in HTML context
> not in javascript
> >> context. Any suggestions how can I by-pass this
> filter.
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 




More information about the websecurity mailing list