Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
injection after error
Posted by: Albino
Date: January 05, 2011 01:04PM

I suspect this is impossible, but I have to ask just in case:

The injection is essentially:
<script>
var w = '<userinput>';
</script>

",',<,> are all filtered, but \ and / and + aren't and control characters don't seem to be filtered either, so by using input=asd;%0Aalert(1);// I can get:
<script>
var w = 'asd;
alert(1);
</script>

But of course this won't execute because the unterminated string causes an error and stops execution. I have tried injecting a null byte to terminate the string, and some fancy Unicode stuff but it all failed. Any ideas?

Options: ReplyQuote
Re: injection after error
Posted by: barbarianbob
Date: January 05, 2011 07:08PM

Do you have more than one place to add you input into the <script>, such as in the following?

<script>
var w = '<arg1>';
var x = '<arg2>';
</script>

If so, you can try ?arg1=asdf\&arg2=;alert(1);\
The first one will slash the endquote, keeping the string going, until it hits the second string, where it will close right before your second input.



Edited 1 time(s). Last edit at 01/05/2011 07:08PM by barbarianbob.

Options: ReplyQuote
Re: injection after error
Posted by: Albino
Date: January 05, 2011 09:26PM

Does that technique work in some browsers? I tried it in firefox but the newline seems to break it. As in, firefox seems to view
var w = '
a';
as being incorrect. This would work fine if the two user inputs were on the same line though.


***a short google later****
It appears to be possible to extend strings over multiple lines by commenting out the newline char, as in:
var w = '\
a';
But unfortunately the newline comes after the closing ' so I don't think this helps here.

Options: ReplyQuote
Re: injection after error
Posted by: Gareth Heyes
Date: January 06, 2011 04:56AM

This was one of the impossible challenges I set myself, the idea was to try and use comments after a string continuation like :-
x='\
//comment
';

but I couldn't find a way :( not possible I think

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: injection after error
Posted by: Kyo
Date: January 07, 2011 07:51AM

Keep in mind that the source to some JS engines is out in the open, so you can always figure something out from that.

That being said, I've played around with/researched this quite a bit and I don't see any possibility for this to work either.

Options: ReplyQuote


Sorry, only registered users may post in this forum.