Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
xss and zero byte chars
Posted by: christ1an
Date: June 25, 2011 09:33AM

Hi,

I'd like to prepare a proof-of-concept for an xss vulnerability that is based on sending a zero-byte character before the actual malicious code. Without that \0, the applications IPS will refuse the request.

I can't manage to place a zero-byte inside an auto-submitting HTML form. How can I do this?

Thanks!

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: xss and zero byte chars
Posted by: christ1an
Date: June 25, 2011 10:31AM

I should mention that the forms enctype must be application/x-www-form-urlencoded, otherwise I can't circumvent the IPS that's running. I just can't get my browser to send out an unencoded zero byte.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: xss and zero byte chars
Posted by: Skyphire
Date: June 26, 2011 09:23PM

multipart/form-data would work unencoded, but if it rejects it it's not very useful.

There are a bunch of other mimes supported by Mozilla: http://mxr.mozilla.org/mozilla2.0/source/netwerk/mime/nsMimeTypes.h#129

But they probably default to application/x-www-form-urlencoded when you try to post text fields.

Options: ReplyQuote


Sorry, only registered users may post in this forum.