Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Escaping a TextBox
Posted by: alphy
Date: August 28, 2006 08:23AM

Hello,

I am able to inject code into a textbox, but they filter the double quotes using htmlentities() or htmlspecialchars(), so I get
"
Anyway, I am not able to escape from the
value=" "
the full code being:

<input type="text" name="test" id="test" value=" <SCRIPT SRC=http://www.example.org/xss.js> </SCRIPT> ">
Is there a way to get out of the textbox so the JS file gets rendered?
Help would be highly appreciated.

Options: ReplyQuote
Re: Escaping a TextBox
Posted by: shiflett
Date: August 28, 2006 08:45AM

(I need to learn to read. Ignore my previous response.)



Edited 1 time(s). Last edit at 08/28/2006 12:38PM by shiflett.

Options: ReplyQuote
Re: Escaping a TextBox
Posted by: WhiteAcid
Date: August 28, 2006 08:53AM

If they filter " then most likely you cannot get outside the value attribute. Though you could try reading up on variable width encoding:
http://ha.ckers.org/blog/20060817/variable-width-encoding/
http://www.securiteam.com/securitynews/5EP0B0UJFO.html

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Escaping a TextBox
Posted by: alphy
Date: August 28, 2006 09:02AM

Quote

">

======>

Quote

but they filter the double quotes using htmlentities() or htmlspecialchars(), so I get &quot;

Options: ReplyQuote
Re: Escaping a TextBox
Posted by: alphy
Date: August 28, 2006 09:03AM

Ok thanks whiteAcid, I will.

Options: ReplyQuote
Re: Escaping a TextBox
Posted by: rsnake
Date: August 28, 2006 10:13AM

Alphy, to save you some trouble, do you know what encoding method they are using? If it's ISO-8859-1 forget it, if it's UTF-8, you're probably in luck, although being unable to enter quotes, you might be stuck in a situation where the only thing you can get to render is event handlers.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Escaping a TextBox
Posted by: alphy
Date: August 28, 2006 10:36AM

ouch =/ they are using ISO-8859-1 .. Looks like I'll have to come up w/ a new attack vectore. Thanks WhiteAcid and RSnake.

Options: ReplyQuote
Re: Escaping a TextBox
Posted by: trix
Date: August 28, 2006 11:08AM

how would you get event handlers to be rendered in the textbox then?

trix

Options: ReplyQuote
Re: Escaping a TextBox
Posted by: Anonymous User
Date: August 28, 2006 12:07PM

You'd still have to break out of the value=" ", so I don't know why he mentioned that.

If you can break out of a <img src="$path"> with a ">, use this injection string: " onLoad="javascript:alert('yep')

Options: ReplyQuote
Re: Escaping a TextBox
Posted by: rsnake
Date: August 28, 2006 03:06PM

Actually, that's not what WhiteAcid was referring to. He was talking about variable width encoding.

Anyway, it's very difficult to say without seeing the real example but this would work in IE for example (where the [CHAR] is decimal 192):

<input type="text" value="[CHAR]"> "onmouseover=alert(XSS)>

The [CHAR] changes the next character (a quote) into a single char. So the rendering engine sees it as:

<input type="text" value="[VARIABLE-WIDTH-CHAR]> "onmouseover=alert(XSS)>

onmouseover isn't a particularly good vector, but you get the idea. A better example would be a style tag vector, or something that executes immediately upon viewing, rather than requiring user input.

Options: ReplyQuote


Sorry, only registered users may post in this forum.