Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS double quotes filter bypass
Posted by: Pr3nK
Date: March 11, 2012 09:17PM

Hi guys, is there any any method which let you to bypass double quotes encoding to \" in order to close the value tags? I don't need the String.fromCharCode() function, and there isn't any variable which saves the searched value...
The code looks like: 
<input type="text" name="search" value="&quot;><script>alert(1)</script>">
Any help please?

Options: ReplyQuote
Re: XSS double quotes filter bypass
Posted by: Albino
Date: March 12, 2012 06:22AM

Try it with and without url-encoding the ". (eg try in firefox and IE). If neither of those work, I don't think it is exploitable; see http://shazzer.co.uk/database/All/Characters-that-close-a-quote?

-------------------------------------------------------
Research blog

Options: ReplyQuote
Re: XSS double quotes filter bypass
Posted by: Anonymous User
Date: March 12, 2012 09:02AM

Have you tried injecting into the name side of the pair? I find that often the name side is left unfiltered by forgetful programmers.

You may also want to try double URLencoding.

Options: ReplyQuote
Re: XSS double quotes filter bypass
Posted by: Gareth Heyes
Date: March 12, 2012 01:47PM

You might want to try repeated quotes or higher repeated characters that end with the same hex value. Also depending on the browser different charsets too if not served with a UTF-8 charset.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: XSS double quotes filter bypass
Posted by: Pr3nK
Date: March 13, 2012 08:33PM

Gareth Heyes Wrote:
-------------------------------------------------------
> You might want to try repeated quotes or higher
> repeated characters that end with the same hex
> value. Also depending on the browser different
> charsets too if not served with a UTF-8 charset.

Can I have an example? I'm not sure i understand it at all



Edited 1 time(s). Last edit at 03/13/2012 08:33PM by Pr3nK.

Options: ReplyQuote
Re: XSS double quotes filter bypass
Posted by: Gareth Heyes
Date: March 14, 2012 04:19AM

Just repeated quotes like """""""><script>alert(1)</script> in case the regex is not in global mode. Then for charset based attacks try using cp based charsets in older versions of IE, utf-7 etc:

[hackvertor.co.uk]

Experiment I think Opera still allows charset inheritance from a parent iframe so that might be a good area to research.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Go to: Forum ListMessage ListSearchLog In
Sorry, only registered users may post in this forum.
Click here to login

Falling Rock Networks

sla.ckers.org RSS feed
Board haX0r3d together by ha.ckers.org, forshizzle. *