Hi, I am running into one issue with XSS and was interested if there is any way I can bypass it. Following the response code where user supplied input is embedded. Input is taken via a text box. *<script type="text/javascript">alert('No Information is found for the card 1');</script>* User supplied input *1* is highlighted in red. I am trying to break out of this alert box, however when a single quote is given as input, the output is escaped using a backslash. It is as follows: * Input:* *1'** Output:** <script type="text/javascript">alert('No Information is found for the card 1\'');</script>* I am using IE 8 and tried using back ticks just to check if I can get around this limitation, however it did not work. Any suggestion on how to break out of this would be much helpful. All characters except the *single quote, <!-- and </script>* are working. Using a I tried the following vector to escape out: *Input:* *1`);alert(1);(`'**);** Output:** <script type="text/javascript">alert('No Information is found for the card 1`);alert(1);(`');</script> *Appreciate* *your help and support in advance. * *Thanks,* * -- Regards, Chintan Dave

If backslashes aren't escaped properly (with a backslash), try this: \');alert(/TestString/.source);// This should result in: <script type="text/javascript">alert('No Information is found for the card \\');alert(/TestString/.source);//');</script> If there's two backslashes, the first one will nullify (escape) the second one, meaning the apostrophe won't be escaped. Best regards, MaXe On Fri, 18 May 2012 12:04:59 +0530, Chintan Dave <davechintan@gmail.com> wrote: > Hi, > > I am running into one issue with XSS and was interested if there is any way > I can bypass it. > Following the response code where user supplied input is embedded. Input is > taken via a text box. > > *<script type="text/javascript">alert('No Information is found for the card > 1');</script>* > > User supplied input *1* is highlighted in red. I am trying to break out of > this alert box, however when a single quote is given as input, the output > is escaped using a backslash. It is as follows: > * > Input:* *1'** > Output:** <script type="text/javascript">alert('No Information is found for > the card 1\'');</script>* > > I am using IE 8 and tried using back ticks just to check if I can get > around this limitation, however it did not work. > Any suggestion on how to break out of this would be much helpful. > > All characters except the *single quote, <!-- and </script>* are working. > Using a > > I tried the following vector to escape out: > > *Input:* *1`);alert(1);(`'**);** > Output:** <script type="text/javascript">alert('No Information is found for > the card 1`);alert(1);(`');</script> > > *Appreciate* *your help and support in advance. > * > *Thanks,* > *

Yes actually, we were able to bypass using the same technique. We just injected an extra slash to nullify escaping & ended the payload with comment Appreciate all your help. Sorry for brevity, sent from my iPod, Thanks, Chintan On 19-May-2012, at 12:37 PM, MaXe <owasp@intern0t.net> wrote: > If backslashes aren't escaped properly (with a backslash), try this: > \');alert(/TestString/.source);// > > This should result in: > <script type="text/javascript">alert('No Information is found for the card > \\');alert(/TestString/.source);//');</script> > > If there's two backslashes, the first one will nullify (escape) the second > one, meaning the apostrophe won't be escaped. > > > Best regards, > MaXe > > > On Fri, 18 May 2012 12:04:59 +0530, Chintan Dave <davechintan@gmail.com> > wrote: >> Hi, >> >> I am running into one issue with XSS and was interested if there is any > way >> I can bypass it. >> Following the response code where user supplied input is embedded. Input > is >> taken via a text box. >> >> *<script type="text/javascript">alert('No Information is found for the > card >> 1');</script>* >> >> User supplied input *1* is highlighted in red. I am trying to break out > of >> this alert box, however when a single quote is given as input, the > output >> is escaped using a backslash. It is as follows: >> * >> Input:* *1'** >> Output:** <script type="text/javascript">alert('No Information is found > for >> the card 1\'');</script>* >> >> I am using IE 8 and tried using back ticks just to check if I can get >> around this limitation, however it did not work. >> Any suggestion on how to break out of this would be much helpful. >> >> All characters except the *single quote, <!-- and </script>* are > working. >> Using a >> >> I tried the following vector to escape out: >> >> *Input:* *1`);alert(1);(`'**);** >> Output:** <script type="text/javascript">alert('No Information is found > for >> the card 1`);alert(1);(`');</script> >> >> *Appreciate* *your help and support in advance. >> * >> *Thanks,* >> *

No problem, it's a common misunderstanding (for developers) to only encode quotes (") and apostrophes (') but not backslashes (\) :-) But the good thing is, at least they're encoding quotes and hopefully apostrophes too (where it's appropriate), compared to like 5 years ago when almost no one was encoding anything. Best regards, MaXe On Sat, 19 May 2012 13:12:28 +0530, Chintan Dave <davechintan@gmail.com> wrote: > Yes actually, we were able to bypass using the same technique. > > We just injected an extra slash to nullify escaping & ended the payload > with comment > > Appreciate all your help. > > Sorry for brevity, sent from my iPod, > > Thanks, > Chintan > > On 19-May-2012, at 12:37 PM, MaXe <owasp@intern0t.net> wrote: > >> If backslashes aren't escaped properly (with a backslash), try this: >> \');alert(/TestString/.source);// >> >> This should result in: >> <script type="text/javascript">alert('No Information is found for the >> card >> \\');alert(/TestString/.source);//');</script> >> >> If there's two backslashes, the first one will nullify (escape) the >> second >> one, meaning the apostrophe won't be escaped. >> >> >> Best regards, >> MaXe >> >> >> On Fri, 18 May 2012 12:04:59 +0530, Chintan Dave <davechintan@gmail.com> >> wrote: >>> Hi, >>> >>> I am running into one issue with XSS and was interested if there is any >> way >>> I can bypass it. >>> Following the response code where user supplied input is embedded. Input >> is >>> taken via a text box. >>> >>> *<script type="text/javascript">alert('No Information is found for the >> card >>> 1');</script>* >>> >>> User supplied input *1* is highlighted in red. I am trying to break out >> of >>> this alert box, however when a single quote is given as input, the >> output >>> is escaped using a backslash. It is as follows: >>> * >>> Input:* *1'** >>> Output:** <script type="text/javascript">alert('No Information is found >> for >>> the card 1\'');</script>* >>> >>> I am using IE 8 and tried using back ticks just to check if I can get >>> around this limitation, however it did not work. >>> Any suggestion on how to break out of this would be much helpful. >>> >>> All characters except the *single quote, <!-- and </script>* are >> working. >>> Using a >>> >>> I tried the following vector to escape out: >>> >>> *Input:* *1`);alert(1);(`'**);** >>> Output:** <script type="text/javascript">alert('No Information is found >> for >>> the card 1`);alert(1);(`');</script> >>> >>> *Appreciate* *your help and support in advance. >>> * >>> *Thanks,* >>> *