Hi,
I am running into one issue with XSS and was interested if there is any way
I can bypass it.
Following the response code where user supplied input is embedded. Input is
taken via a text box.
<script type="text/javascript">alert('No Information is found for the card
1');</script>
User supplied input 1 is highlighted in red. I am trying to break out of
this alert box, however when a single quote is given as input, the output
is escaped using a backslash. It is as follows:
*
Input:* 1'*
Output:** <script type="text/javascript">alert('No Information is found for
the card 1'');</script>*
I am using IE 8 and tried using back ticks just to check if I can get
around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.
All characters except the single quote, <!-- and </script> are working.
Using a
I tried the following vector to escape out:
Input: 1);alert(1);(
');
Output:* <script type="text/javascript">alert('No Information is found for
the card 1);alert(1);(
');</script>
Regards,
Chintan Dave
If backslashes aren't escaped properly (with a backslash), try this:
');alert(/TestString/.source);//
This should result in:
<script type="text/javascript">alert('No Information is found for the card \\');alert(/TestString/.source);//');</script>If there's two backslashes, the first one will nullify (escape) the second
one, meaning the apostrophe won't be escaped.
Best regards,
MaXe
On Fri, 18 May 2012 12:04:59 +0530, Chintan Dave davechintan@gmail.com
wrote:
Hi,
I am running into one issue with XSS and was interested if there is any
way
I can bypass it.
Following the response code where user supplied input is embedded. Input
is
taken via a text box.
*<script type="text/javascript">alert('No Information is found for the
card
1');</script>*
User supplied input 1 is highlighted in red. I am trying to break out
of
this alert box, however when a single quote is given as input, the
output
is escaped using a backslash. It is as follows:
*
Input:* 1'*
Output:** <script type="text/javascript">alert('No Information is found
for
the card 1'');</script>*
I am using IE 8 and tried using back ticks just to check if I can get
around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.
All characters except the single quote, <!-- and </script> are
working.
Using a
I tried the following vector to escape out:
Input: 1);alert(1);(
');
Output:* <script type="text/javascript">alert('No Information is found
for
the card 1);alert(1);(
');</script>
Appreciate *your help and support in advance.
*
Thanks,
*
Yes actually, we were able to bypass using the same technique.
We just injected an extra slash to nullify escaping & ended the payload with comment
Appreciate all your help.
Sorry for brevity, sent from my iPod,
Thanks,
Chintan
On 19-May-2012, at 12:37 PM, MaXe owasp@intern0t.net wrote:
If backslashes aren't escaped properly (with a backslash), try this:
');alert(/TestString/.source);//
This should result in:
<script type="text/javascript">alert('No Information is found for the card \\');alert(/TestString/.source);//');</script>If there's two backslashes, the first one will nullify (escape) the second
one, meaning the apostrophe won't be escaped.
Best regards,
MaXe
On Fri, 18 May 2012 12:04:59 +0530, Chintan Dave davechintan@gmail.com
wrote:
Hi,
I am running into one issue with XSS and was interested if there is any
way
I can bypass it.
Following the response code where user supplied input is embedded. Input
is
taken via a text box.
*<script type="text/javascript">alert('No Information is found for the
card
1');</script>*
User supplied input 1 is highlighted in red. I am trying to break out
of
this alert box, however when a single quote is given as input, the
output
is escaped using a backslash. It is as follows:
*
Input:* 1'*
Output:** <script type="text/javascript">alert('No Information is found
for
the card 1'');</script>*
I am using IE 8 and tried using back ticks just to check if I can get
around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.
All characters except the single quote, <!-- and </script> are
working.
Using a
I tried the following vector to escape out:
Input: 1);alert(1);(
');
Output:* <script type="text/javascript">alert('No Information is found
for
the card 1);alert(1);(
');</script>
Appreciate *your help and support in advance.
*
Thanks,
*
No problem, it's a common misunderstanding (for developers) to only encode
quotes (") and apostrophes (') but not backslashes () :-)
But the good thing is, at least they're encoding quotes and hopefully
apostrophes too (where it's appropriate), compared to like 5 years ago when
almost no one was encoding anything.
Best regards,
MaXe
On Sat, 19 May 2012 13:12:28 +0530, Chintan Dave davechintan@gmail.com
wrote:
Yes actually, we were able to bypass using the same technique.
We just injected an extra slash to nullify escaping & ended the payload
with comment
Appreciate all your help.
Sorry for brevity, sent from my iPod,
Thanks,
Chintan
On 19-May-2012, at 12:37 PM, MaXe owasp@intern0t.net wrote:
If backslashes aren't escaped properly (with a backslash), try this:
');alert(/TestString/.source);//
This should result in:
<script type="text/javascript">alert('No Information is found for the card \\');alert(/TestString/.source);//');</script>If there's two backslashes, the first one will nullify (escape) the
second
one, meaning the apostrophe won't be escaped.
Best regards,
MaXe
On Fri, 18 May 2012 12:04:59 +0530, Chintan Dave
wrote:
Hi,
I am running into one issue with XSS and was interested if there is
any
way
I can bypass it.
Following the response code where user supplied input is embedded.
Input
is
taken via a text box.
*<script type="text/javascript">alert('No Information is found for the
card
1');</script>*
User supplied input 1 is highlighted in red. I am trying to break
out
of
this alert box, however when a single quote is given as input, the
output
is escaped using a backslash. It is as follows:
*
Input:* 1'*
Output:** <script type="text/javascript">alert('No Information is
found
for
the card 1'');</script>*
I am using IE 8 and tried using back ticks just to check if I can get
around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.
All characters except the single quote, <!-- and </script> are
working.
Using a
I tried the following vector to escape out:
Input: 1);alert(1);(
');
Output:* <script type="text/javascript">alert('No Information is
found
for
the card 1);alert(1);(
');</script>
Appreciate *your help and support in advance.
*
Thanks,
*