You could try using http://www.w3schools.com/jsref/jsref_fromcharcode.asp Then you should not need to include any ' in your string and the app will hopefully not add anything to break the javascript. -----Original Message----- From: Aaron Devaney Sent: 21 May 2012 16:14:12 GMT To: websecurity@lists.webappsec.org Subject: Re: [WEB SECURITY] Need some help with one XSS Vector Hi, Have you tried using a slash before the single quote so that the escape is performed on the slash that is escaping the quote? So in your example you could try \' + document.cookie;// Which then might give the following <script type="text/javascript">alert('No Information is found for the card 1\\'+ document.cookie);//');</script> I didn't test it but it looks like it might work depending on how the filter is working. Regards Aaron -----Original Message----- From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of websecurity-request@lists.webappsec.org Sent: 19 May 2012 04:15 To: websecurity@lists.webappsec.org Subject: websecurity Digest, Vol 17, Issue 6 Send websecurity mailing list submissions to websecurity@lists.webappsec.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec. org or, via email, send a message with subject or body 'help' to websecurity-request@lists.webappsec.org You can reach the person managing the list at websecurity-owner@lists.webappsec.org When replying, please edit your Subject line so it is more specific than "Re: Contents of websecurity digest..." Today's Topics: 1. Need some help with one XSS Vector (Chintan Dave) ---------------------------------------------------------------------- Message: 1 Date: Fri, 18 May 2012 12:04:59 +0530 From: Chintan Dave <davechintan@gmail.com> To: websecurity@webappsec.org Subject: [WEB SECURITY] Need some help with one XSS Vector Message-ID: <CAL9x60qFTJPzh7g1CehONBDm3oJWYrQ7vmzpTS5BBfcwMB_NHg@mail.gmail.com> Content-Type: text/plain; charset="utf-8" Hi, I am running into one issue with XSS and was interested if there is any way I can bypass it. Following the response code where user supplied input is embedded. Input is taken via a text box. *<script type="text/javascript">alert('No Information is found for the card 1');</script>* User supplied input *1* is highlighted in red. I am trying to break out of this alert box, however when a single quote is given as input, the output is escaped using a backslash. It is as follows: * Input:* *1'** Output:** <script type="text/javascript">alert('No Information is found for the card 1\'');</script>* I am using IE 8 and tried using back ticks just to check if I can get around this limitation, however it did not work. Any suggestion on how to break out of this would be much helpful. All characters except the *single quote, <!-- and </script>* are working. Using a I tried the following vector to escape out: *Input:* *1`);alert(1);(`'**);** Output:** <script type="text/javascript">alert('No Information is found for the card 1`);alert(1);(`');</script> *Appreciate* *your help and support in advance. * *Thanks,* * -- Regards, Chintan Dave

What happens when you send </script>. Why doesn't it work? Is escaped or validated? Can you bypass validation? --Jeff On May 21, 2012, at 1:49 PM, Spam Catcher <rrspam@hotmail.co.uk> wrote: > You could try using http://www.w3schools.com/jsref/jsref_fromcharcode.asp > > Then you should not need to include any ' in your string and the app will hopefully not add anything to break the javascript. > > -----Original Message----- > > From: Aaron Devaney > Sent: 21 May 2012 16:14:12 GMT > To: websecurity@lists.webappsec.org > Subject: Re: [WEB SECURITY] Need some help with one XSS Vector > > Hi, > Have you tried using a slash before the single quote so that the escape > is performed on the slash that is escaping the quote? > > So in your example you could try \' + document.cookie;// > > Which then might give the following > > <script type="text/javascript">alert('No Information is found for the > card 1\\'+ document.cookie);//');</script> > > I didn't test it but it looks like it might work depending on how the > filter is working. > > Regards > Aaron > > -----Original Message----- > From: websecurity-bounces@lists.webappsec.org > [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of > websecurity-request@lists.webappsec.org > Sent: 19 May 2012 04:15 > To: websecurity@lists.webappsec.org > Subject: websecurity Digest, Vol 17, Issue 6 > > Send websecurity mailing list submissions to > websecurity@lists.webappsec.org > > To subscribe or unsubscribe via the World Wide Web, visit > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec. > org > > or, via email, send a message with subject or body 'help' to > websecurity-request@lists.webappsec.org > > You can reach the person managing the list at > websecurity-owner@lists.webappsec.org > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of websecurity digest..." > > > Today's Topics: > > 1. Need some help with one XSS Vector (Chintan Dave) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 18 May 2012 12:04:59 +0530 > From: Chintan Dave <davechintan@gmail.com> > To: websecurity@webappsec.org > Subject: [WEB SECURITY] Need some help with one XSS Vector > Message-ID: > > <CAL9x60qFTJPzh7g1CehONBDm3oJWYrQ7vmzpTS5BBfcwMB_NHg@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Hi, > > I am running into one issue with XSS and was interested if there is any > way I can bypass it. > Following the response code where user supplied input is embedded. Input > is taken via a text box. > > *<script type="text/javascript">alert('No Information is found for the > card > 1');</script>* > > User supplied input *1* is highlighted in red. I am trying to break out > of this alert box, however when a single quote is given as input, the > output is escaped using a backslash. It is as follows: > * > Input:* *1'** > Output:** <script type="text/javascript">alert('No Information is found > for the card 1\'');</script>* > > I am using IE 8 and tried using back ticks just to check if I can get > around this limitation, however it did not work. > Any suggestion on how to break out of this would be much helpful. > > All characters except the *single quote, <!-- and </script>* are > working. > Using a > > I tried the following vector to escape out: > > *Input:* *1`);alert(1);(`'**);** > Output:** <script type="text/javascript">alert('No Information is found > for the card 1`);alert(1);(`');</script> > > *Appreciate* *your help and support in advance. > * > *Thanks,* > * > -- > Regards, > Chintan Dave >