WebApp Sec mailing list archives
RE: XSS - Double Quote break out and White Space filtered
From: "Jeff Williams" <planetlevel () gmail com>
Date: Thu, 28 May 2009 22:48:26 -0400
In problem 1, since there are no quotes, there are lots of characters that will terminate an attribute, like %00, %08, CR, LF, VT, space, tab, etc... I think you're out of luck on problem 2. You *can* break out of a quoted string inside javascript without the corresponding quote by "injecting up" and closing the entire script block with </script>. Unfortunately for you that won't work because you can't generate a tag. See the OWASP XSS Prevention Cheatsheet for some more background on what characters do what where. http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_S heet. --Jeff
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of arvind doraiswamy Sent: Thursday, May 28, 2009 10:46 AM To: PortSwigger Cc: webappsec () securityfocus com Subject: Re: XSS - Double Quote break out and White Space filtered This worked a treat, thanks. What does this mean though? So if I take an example: <input type=text name=p1 size=50 value=> Now say I type ``onclick=alert(1) inside the text box this becomes.. <input type=text name=p1 size=50 value=``onclick=alert(1)> Does this mean I'm saying - The value is Null (no value between the backticks) followed by the event handler? Also any ideas about Problem 2? How do you break out of something enclosed in double quotes with the same character escapes as Problem 1? Thanks Arvind On Thu, May 28, 2009 at 2:30 PM, PortSwigger <mail () portswigger net> wrote:Have you checked whether backticks are allowed? IE interpretsbackticks inthe same way as quotes. So you may be able to use something like: ``onclick=alert(1) -----Original Message----- From: listbounce () securityfocus com[mailto:listbounce () securityfocus com] OnBehalf Of arvind doraiswamy Sent: 28 May 2009 07:13 To: webappsec () securityfocus com Subject: XSS - Double Quote break out and White Space filtered Hey Guys, We're trying to understand XSS Regex and evasion techniques better. We're stuck at 2 variations though. Problem 1: Here's what is allowed: ( ) : ; & Everything else is filtered or replaced. The HTML looks like this: <input type=text name=p1 size=50 value=> Note that the value isn't enclosed by quotes which means I can break out of it with a space with the event handling technique. However the problem again is that spaces are also caught and replaced with a blank. The same is true of " as well. The < and > are filtered aswellwhich means we cant start a new tag either. So we're stuck. Now AFAIK these are the only ways to bypass a filter: a) Add another attribute to the Input tag b) Break out of the Input tag and add your own scripts c) Put in something in the value= which natively acts as a script(I'mnot sure what) Is there anything else? How all can you perform XSS with < > " ' (whitespace with all variants) all blocked off using any of the 3 above methods? Problem 2: Everything in Problem 1 is blocked off including & as well. The input into a text box goes between " " this time though. So if I type "abc" it goes between the double quotes. This input is again used by a document.write(" ") between <script> </script> tags later in thepage.So if I write abc in an input box , its echoed in 2 places - a) Inthetext box itself b) In the document.write(" ") call later on the page. Effectively this means everything is treated as text in both places - this includes scripts, javascript: function pointer tricks everything. Remember I can't break out again due to the " becoming " and < > becoming < >. So how do you do this? All inputs/feedback are welcome. Please let me know if further inputs are needed. Thanks Arvind
Current thread:
- XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- RE: XSS - Double Quote break out and White Space filtered PortSwigger (May 28)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- RE: XSS - Double Quote break out and White Space filtered Jeff Williams (May 28)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- Re: XSS - Double Quote break out and White Space filtered Florian Weimer (May 31)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 31)
- Re: XSS - Double Quote break out and White Space filtered Florian Weimer (May 31)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (Jun 02)
- Message not available
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (Jun 08)
- Re: XSS - Double Quote break out and White Space filtered Marc-André Laverdière (Jun 08)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 31)
- RE: XSS - Double Quote break out and White Space filtered PortSwigger (May 28)