Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
I need help with bypassing a nasty filter.
Posted by: Pi
Date: January 25, 2012 07:06PM

So here is what i'm dealing with;
<input type="hidden" name="object1" id="object1" value="XSSTEST">
So, of course I need to close the input, by adding ">.

<input type="hidden" name="object1" id="object1" value=""><script>prompt(1)</script>"
But my issue is, the filter filters out the (")'s and <>'s.
The output is;
<input type="hidden" name="object1" id="object1" value="&quot;&gt;TESTXSS">
I've tried HTML

Can anyone give me some insight?

Edit: I've already tried encoding it with the following; URL,Hex,Unicode,Named,Decimal,Hex,and XML escaped.



Edited 1 time(s). Last edit at 01/25/2012 07:08PM by Pi.

Options: ReplyQuote
Re: I need help with bypassing a nasty filter.
Posted by: Albino
Date: January 26, 2012 02:27AM

You don't need the > there (eg you could use test"onfocus=alert(1) autofocus) but if you can't find any way to inject " you're out of luck.

-------------------------------------------------------
Research blog

Options: ReplyQuote
Re: I need help with bypassing a nasty filter.
Posted by: Anonymous User
Date: January 26, 2012 08:38AM

Actually, I'm nearly positive that the hidden input type can't take focus, so onfocus wouldn't work.

You would need to use something else like "style=width:expression etc (though it only works up to IE7 I believe)

Of course, again as Albino said, you would still need to be able to inject a double quote.

Without that double quote, you have no closing delimiter, and can't end the current attribute.

Options: ReplyQuote
Re: I need help with bypassing a nasty filter.
Posted by: Albino
Date: January 26, 2012 12:02PM

./D Wrote:
-------------------------------------------------------
> Actually, I'm nearly positive that the hidden
> input type can't take focus, so onfocus wouldn't
> work.

Confirmed, my mistake. It feels like there should still be a way to exploit this without much/any user interaction, but I can't see how.

-------------------------------------------------------
Research blog

Options: ReplyQuote
Re: I need help with bypassing a nasty filter.
Posted by: Gareth Heyes
Date: January 26, 2012 03:18PM

Iframe the target site with the parent in compat mode then inject this:
"style="xss:\65\78\70\72\65\73\73\69\6f\6e\28\61\6c\65\72\74\28\31\29\29"

This will work on IE9 since the child inherits the parent compat mode

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/26/2012 03:19PM by Gareth Heyes.

Options: ReplyQuote


Sorry, only registered users may post in this forum.