Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
16 chars XSS
Posted by: p0deje
Date: January 24, 2011 02:21PM

As subject. No sanitizing, only size limit.

I'm running out of ideas. Do you have any?

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Albino
Date: January 24, 2011 02:28PM

Should be possible. Could you provide a link or make a replica page? Or at least the html line where the injection is.

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Anonymous User
Date: January 24, 2011 03:03PM

Do you have any second chance injection point? So you could for example make <a/href="data:, work?

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Gareth Heyes
Date: January 24, 2011 03:07PM

Depends on context...

',eval(name),'

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: 16 chars XSS
Posted by: p0deje
Date: January 25, 2011 01:22AM

Here is the code of the vulnerable input field.
<input type="text" maxlength="16" name="field_country[0][postal_code]" id="edit-field-country-0-postal-code" size="16" value="" class="form-text" />

There is no injection after and the page just renders what you entered.

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Kyo
Date: January 26, 2011 08:19AM

This may be a stupid question, but does it actually cut off the others on the server side, or is it just the form limiting you? If so, you can just use tamper data to enter more. Or many other ways, I guess.

Options: ReplyQuote
Re: 16 chars XSS
Posted by: p0deje
Date: January 27, 2011 12:45AM

Yeah I can. Will the victim do it too? :)

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: 16 chars XSS
Posted by: thornmaker
Date: January 27, 2011 01:54AM

If you give them clear directions and ask nicely.



Edited 1 time(s). Last edit at 01/27/2011 01:54AM by thornmaker.

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Gareth Heyes
Date: January 27, 2011 04:42AM

LOL I thought that question was to dumb, I was gonna ask it but I thought nah.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: 16 chars XSS
Posted by: p0deje
Date: January 27, 2011 07:48AM

So, no ideas at all? Damn, I thought you guys help me...

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Albino
Date: January 27, 2011 10:46AM

p0deje, normal XSS doesn't rely on the victim typing something onto the HTML page, so client-side restrictions in the HTML like maxlength="16" make no difference.

.mario, I don't understand how <a/href="data: would help if there was a second injection point. Wouldn't all the html crap between the two injection points prevent anything good being encoded in the data:?

Options: ReplyQuote
Re: 16 chars XSS
Posted by: p0deje
Date: January 27, 2011 12:33PM

@Albino
Come on, didn't you notice an irony in my question about victim's actions? I thought a smile would be enough, hah

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Anonymous User
Date: January 27, 2011 04:50PM

@Albino think <a/href=vbs:/*

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Kyo
Date: January 28, 2011 05:33AM

I'm confused? Are you, or are you not able to inject longer strings? I don't really see anything ironic or sarcastic about the statement "Yeah I can. Will the victim do it too? :)"

If you can, I recommend you look here:
http://wocares.com/pf3.php

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Gareth Heyes
Date: January 28, 2011 05:49AM

@Kyo

I think we've wasted enough time on this thread :(

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: 16 chars XSS
Posted by: p0deje
Date: January 29, 2011 04:49AM

Okay. I posted a code of the vulnerable input. As you see, it has HTML restrictions to the size.

Of course, I can remove size attribute but that's not the answer I've been looking for as long as trying to force the victim to do it is a bad idea. I've just hoped you guys know some less than 16 chars vectors.

@Gareth
Sorry for bothering :(

---------
http://p0deje.blogspot.com



Edited 1 time(s). Last edit at 01/30/2011 01:06PM by p0deje.

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Kyo
Date: January 30, 2011 08:18PM

again, the idea of XSS is not to social engineer people into typing in exploits.

Take a look at the link I posted above. I'll even post it again:

http://wocares.com/pf3.php

Options: ReplyQuote
Re: 16 chars XSS
Posted by: p0deje
Date: January 31, 2011 12:45AM

@Kyo
Thanks for the link. I didn't face it before.
Still, don't think I do not understand the idea of XSS, because I do.

Now, however, social engineering won't help in this situation because besides of size attribute, server-side limitation has been added, so even if we remove size attribute, we'll face an error of "16 chars max".

---------
http://p0deje.blogspot.com



Edited 1 time(s). Last edit at 01/31/2011 12:45AM by p0deje.

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Gareth Heyes
Date: January 31, 2011 06:38AM

@p0deje

We're interested in helping but you said if you removed the restrictions in the maxlength attribute then you could inject a longer string, so it was assumed that there is no server side restrictions on length therefore the thread is kinda pointless.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: 16 chars XSS
Posted by: p0deje
Date: January 31, 2011 08:08AM

@Gareth
There was no server-side restrictions a couple of days ago. Now there is.

I've just understood what you've been trying to explain to me. Sorry, I didn't thought about CSRF :(

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: 16 chars XSS
Posted by: Kyo
Date: January 31, 2011 07:47PM

so what's the actual injection point?

Options: ReplyQuote
Re: 16 chars XSS
Posted by: p0deje
Date: February 01, 2011 01:24AM

Text field. Input has both client-side size restriction (via maxlength="16" attribute) and server-side size restriction.

---------
http://p0deje.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.