You could try using http://www.w3schools.com/jsref/jsref_fromcharcode.asp
Then you should not need to include any ' in your string and the app will hopefully not add anything to break the javascript.
-----Original Message-----
From: Aaron Devaney
Sent: 21 May 2012 16:14:12 GMT
To: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Need some help with one XSS Vector
Hi,
Have you tried using a slash before the single quote so that the escape
is performed on the slash that is escaping the quote?
So in your example you could try ' + document.cookie;//
Which then might give the following
<script type="text/javascript">alert('No Information is found for the card 1\\'+ document.cookie);//');</script>I didn't test it but it looks like it might work depending on how the
filter is working.
Regards
Aaron
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of
websecurity-request@lists.webappsec.org
Sent: 19 May 2012 04:15
To: websecurity@lists.webappsec.org
Subject: websecurity Digest, Vol 17, Issue 6
Send websecurity mailing list submissions to
websecurity@lists.webappsec.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org
or, via email, send a message with subject or body 'help' to
websecurity-request@lists.webappsec.org
You can reach the person managing the list at
websecurity-owner@lists.webappsec.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of websecurity digest..."
Today's Topics:
Message: 1
Date: Fri, 18 May 2012 12:04:59 +0530
From: Chintan Dave davechintan@gmail.com
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Need some help with one XSS Vector
Message-ID:
CAL9x60qFTJPzh7g1CehONBDm3oJWYrQ7vmzpTS5BBfcwMB_NHg@mail.gmail.com
Content-Type: text/plain; charset="utf-8"
Hi,
I am running into one issue with XSS and was interested if there is any
way I can bypass it.
Following the response code where user supplied input is embedded. Input
is taken via a text box.
<script type="text/javascript">alert('No Information is found for the
card
1');</script>
User supplied input 1 is highlighted in red. I am trying to break out
of this alert box, however when a single quote is given as input, the
output is escaped using a backslash. It is as follows:
*
Input:* 1'*
Output:** <script type="text/javascript">alert('No Information is found
for the card 1'');</script>*
I am using IE 8 and tried using back ticks just to check if I can get
around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.
All characters except the single quote, <!-- and </script> are
working.
Using a
I tried the following vector to escape out:
Input: 1);alert(1);(
');
Output:* <script type="text/javascript">alert('No Information is found
for the card 1);alert(1);(
');</script>
Regards,
Chintan Dave
What happens when you send </script>. Why doesn't it work? Is escaped or validated? Can you bypass validation?
--Jeff
On May 21, 2012, at 1:49 PM, Spam Catcher rrspam@hotmail.co.uk wrote:
You could try using http://www.w3schools.com/jsref/jsref_fromcharcode.asp
Then you should not need to include any ' in your string and the app will hopefully not add anything to break the javascript.
-----Original Message-----
From: Aaron Devaney
Sent: 21 May 2012 16:14:12 GMT
To: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Need some help with one XSS Vector
Hi,
Have you tried using a slash before the single quote so that the escape
is performed on the slash that is escaping the quote?
So in your example you could try ' + document.cookie;//
Which then might give the following
<script type="text/javascript">alert('No Information is found for the card 1\\'+ document.cookie);//');</script>I didn't test it but it looks like it might work depending on how the
filter is working.
Regards
Aaron
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of
websecurity-request@lists.webappsec.org
Sent: 19 May 2012 04:15
To: websecurity@lists.webappsec.org
Subject: websecurity Digest, Vol 17, Issue 6
Send websecurity mailing list submissions to
websecurity@lists.webappsec.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org
or, via email, send a message with subject or body 'help' to
websecurity-request@lists.webappsec.org
You can reach the person managing the list at
websecurity-owner@lists.webappsec.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of websecurity digest..."
Today's Topics:
Message: 1
Date: Fri, 18 May 2012 12:04:59 +0530
From: Chintan Dave davechintan@gmail.com
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Need some help with one XSS Vector
Message-ID:
CAL9x60qFTJPzh7g1CehONBDm3oJWYrQ7vmzpTS5BBfcwMB_NHg@mail.gmail.com
Content-Type: text/plain; charset="utf-8"
Hi,
I am running into one issue with XSS and was interested if there is any
way I can bypass it.
Following the response code where user supplied input is embedded. Input
is taken via a text box.
<script type="text/javascript">alert('No Information is found for the
card
1');</script>
User supplied input 1 is highlighted in red. I am trying to break out
of this alert box, however when a single quote is given as input, the
output is escaped using a backslash. It is as follows:
*
Input:* 1'*
Output:** <script type="text/javascript">alert('No Information is found
for the card 1'');</script>*
I am using IE 8 and tried using back ticks just to check if I can get
around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.
All characters except the single quote, <!-- and </script> are
working.
Using a
I tried the following vector to escape out:
Input: 1);alert(1);(
');
Output:* <script type="text/javascript">alert('No Information is found
for the card 1);alert(1);(
');</script>
Regards,
Chintan Dave