Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
I think I might have an addition to the xss cheat sheet
Posted by: barbarianbob
Date: July 08, 2007 10:36PM

I was screwing around with different characters to see how browsers display them. Eventually, I came across the use of whitespace characters in locations where they render as non-whitespace characters. I put this to use in element attributes:

<img src= [\x0c]'12 onerror=alert(1) ' />
<img src= [\xa0]'160 onerror=alert(1) ' />

In PHP, chr(12) passes the whitespace regExp (/\s/). In the version of PHP that I have (5.2.1), chr(160) also counts as whitespace. However, testing in versions 4.4.0, 4.4.4, and 5.1.6, chr(160) does not fit in. (Although whitespace chars might be set by the config files, and that could be why I got different results.)
Nevertheless, these characters will become part of an attribute rather than the whitespace before it. Thus, posting the above codes give the src a value of "[\x0c]'12" and "[\xa0]'160" repectively, and also sets the onerror attribute to your evil code. This will bypass filters because it uses whitespace, which is allowed, and places quotes around the entire value.

So, basically the above two codes are acting like this:
The filter sees:
<el attr=[validWhitespace]'value'>content</el>
which should be allowed.
But the browser renders it as:
<el attr=value attr2=value2 '>content</el>
Thus, you can add in an extra attribute into the element without it being filtered because the server counts the special characters as whitespace and the browser as text.



Edited 1 time(s). Last edit at 07/09/2007 09:45AM by barbarianbob.

Options: ReplyQuote


Sorry, only registered users may post in this forum.