Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Re: [WEB SECURITY] Need some help with one XSS Vector

AD
Aaron Devaney
Mon, May 21, 2012 8:26 AM

Hi,
Have you tried using a slash before the single quote so that the escape
is performed on the slash that is escaping the quote?

So in your example you could try        ' + document.cookie;//

Which then might give the following

<script type="text/javascript">alert('No Information is found for the card 1\\'+ document.cookie);//');</script>

I didn't test it but it looks like it might work depending on how the
filter is working.

Regards
Aaron

-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of
websecurity-request@lists.webappsec.org
Sent: 19 May 2012 04:15
To: websecurity@lists.webappsec.org
Subject: websecurity Digest, Vol 17, Issue 6

Send websecurity mailing list submissions to
websecurity@lists.webappsec.org

To subscribe or unsubscribe via the World Wide Web, visit

http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org

or, via email, send a message with subject or body 'help' to
websecurity-request@lists.webappsec.org

You can reach the person managing the list at
websecurity-owner@lists.webappsec.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of websecurity digest..."

Today's Topics:

  1. Need some help with one XSS Vector (Chintan Dave)

Message: 1
Date: Fri, 18 May 2012 12:04:59 +0530
From: Chintan Dave davechintan@gmail.com
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Need some help with one XSS Vector
Message-ID:

CAL9x60qFTJPzh7g1CehONBDm3oJWYrQ7vmzpTS5BBfcwMB_NHg@mail.gmail.com
Content-Type: text/plain; charset="utf-8"

Hi,

I am running into one issue with XSS and was interested if there is any
way I can bypass it.
Following the response code where user supplied input is embedded. Input
is taken via a text box.

<script type="text/javascript">alert('No Information is found for the
card
1');</script>

User supplied input 1 is highlighted in red. I am trying to break out
of this alert box, however when a single quote is given as input, the
output is escaped using a backslash. It is as follows:
*
Input:*    1'*
Output:** <script type="text/javascript">alert('No Information is found
for the card 1'');</script>*

I am using IE 8 and tried using back ticks just to check if I can get
around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.

All characters except the single quote, <!-- and </script> are
working.
Using a

I tried the following vector to escape out:

Input:    1);alert(1);(');
Output:* <script type="text/javascript">alert('No Information is found
for the card 1);alert(1);(');</script>

Appreciate *your help and support in advance.
*
Thanks,
*

Regards,
Chintan Dave

Hi, Have you tried using a slash before the single quote so that the escape is performed on the slash that is escaping the quote? So in your example you could try \' + document.cookie;// Which then might give the following <script type="text/javascript">alert('No Information is found for the card 1\\'+ document.cookie);//');</script> I didn't test it but it looks like it might work depending on how the filter is working. Regards Aaron -----Original Message----- From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of websecurity-request@lists.webappsec.org Sent: 19 May 2012 04:15 To: websecurity@lists.webappsec.org Subject: websecurity Digest, Vol 17, Issue 6 Send websecurity mailing list submissions to websecurity@lists.webappsec.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec. org or, via email, send a message with subject or body 'help' to websecurity-request@lists.webappsec.org You can reach the person managing the list at websecurity-owner@lists.webappsec.org When replying, please edit your Subject line so it is more specific than "Re: Contents of websecurity digest..." Today's Topics: 1. Need some help with one XSS Vector (Chintan Dave) ---------------------------------------------------------------------- Message: 1 Date: Fri, 18 May 2012 12:04:59 +0530 From: Chintan Dave <davechintan@gmail.com> To: websecurity@webappsec.org Subject: [WEB SECURITY] Need some help with one XSS Vector Message-ID: <CAL9x60qFTJPzh7g1CehONBDm3oJWYrQ7vmzpTS5BBfcwMB_NHg@mail.gmail.com> Content-Type: text/plain; charset="utf-8" Hi, I am running into one issue with XSS and was interested if there is any way I can bypass it. Following the response code where user supplied input is embedded. Input is taken via a text box. *<script type="text/javascript">alert('No Information is found for the card 1');</script>* User supplied input *1* is highlighted in red. I am trying to break out of this alert box, however when a single quote is given as input, the output is escaped using a backslash. It is as follows: * Input:* *1'** Output:** <script type="text/javascript">alert('No Information is found for the card 1\'');</script>* I am using IE 8 and tried using back ticks just to check if I can get around this limitation, however it did not work. Any suggestion on how to break out of this would be much helpful. All characters except the *single quote, <!-- and </script>* are working. Using a I tried the following vector to escape out: *Input:* *1`);alert(1);(`'**);** Output:** <script type="text/javascript">alert('No Information is found for the card 1`);alert(1);(`');</script> *Appreciate* *your help and support in advance. * *Thanks,* * -- Regards, Chintan Dave
Empathy v1.0   2024 ©Harmonylists.com