Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
tips needed in php sanitation filter evasion
Posted by: LVH
Date: July 23, 2010 11:41AM

Long time lurker, first post and hoping not to be hit by lightning facing the gods of XSS :)

Today I thought it was a nice day to play a little bit with the php sanitation filters, see how they work and how to bypass them. Since I'm lazy and not a coder I took the easy way; I downloaded XAMPP and DVWA.

I looked at the medium level of the reflective XSS exercise and thought that would be a nice place to start.

In the original php it handles and reflects the input as :
$html .= '<pre>';
$html .= 'Hello ' . strip_tags($_GET['name']);
$html .= '</pre>';

I tried to evade this using several encondings and injections but was unsuccessful so I figured I was time trying something easier.

Looking at the various php sanitation filters I thought filter_var in combination with FILTER_SANITIZE_EMAIL would be easier to exploit since it allows you to use things like & and % and sanitizes things like ", < and >.

So I changed it the exercise into 2 alternatives:
alt 1; the default exercise but now with filter_var
$html .= '<pre>';
$html .= 'Hello ' . filter_var($_GET['name'], FILTER_SANITIZE_EMAIL);
$html .= '</pre>';

alt 2: using a form / DIV / value for "><script> kind of exploits
$html .= '<form>';
$html .= '<div>';
$html .= '<input name="button" type="text" value="Hello ' . filter_var($_GET['name'], FILTER_SANITIZE_EMAIL) . '" /><br /><br />';
$html .= '</div>';
$html .= '</form>';

However, to my frustration even these very basic filters seem to successfully stop all my attempts. I already spent an hour in Google looking for php evasion attacks, but they all assume you can use ", >, or / which is sanitized by the php filter.

As you can imagine I feel very stupid now and almost don't dare to admit this, but I feel I am missing something very basic here ...

Can anybody help this n00b and give a hint or a tip ?

Options: ReplyQuote
Re: tips needed in php sanitation filter evasion
Posted by: Skyphire
Date: July 25, 2010 03:49PM

strip_tags() is usually exploited when there are allowed tags, like <b>. Then you can set an attribute to it.

Options: ReplyQuote

Sorry, only registered users may post in this forum.