Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Bypassing Chrome XSS filter + Apache mod_security?
Posted by: serpentine85
Date: April 02, 2012 09:35PM

The site I found an XSS on appears to be using mod_security. Anything with "<script" or "< script" in the URL returns a 403 page. Googling around shows that there are numerous possible workarounds to the filter; however, I'm not sure how I can combine it with bypassing Chrome's filter.

<svg><script>//&#x0A;alert(1)</script> works with Chrome (due to a current bug in Chrome's XSS filter), but not mod_security, due to mod_security not allowing <script

<img src="x:blah" onerror="alert(1)"> seems to bypass mod_security, but Chrome strips onerror and all other on attributes.

Both these filters are definitely vulnerable, but I don't know how to make something that'll bypass both.

I control the attribute of an <a onclick="">, and there's no escaping or filtering done by the web app itself. So "> does break me out. I only control that one variable though.

Any ideas?

Thanks.



Edited 1 time(s). Last edit at 04/02/2012 09:35PM by serpentine85.

Options: ReplyQuote
Re: Bypassing Chrome XSS filter + Apache mod_security?
Posted by: Albino
Date: April 03, 2012 03:27AM

Could you inject alert(1)" style="position:absolute;top:0px;left:0px;right:0px;bottom:0px

to make a link that executes js on a click and covers the entire screen?

-------------------------------------------------------
Research blog

Options: ReplyQuote
Re: Bypassing Chrome XSS filter + Apache mod_security?
Posted by: serpentine85
Date: April 04, 2012 01:59AM

This does work, but I was kind of hoping for it to auto-execute upon page load.

Options: ReplyQuote
Re: Bypassing Chrome XSS filter + Apache mod_security?
Posted by: PaPPy
Date: April 05, 2012 04:13PM

is onmouseover restricted?
if not use the same style so anywhere on screen they move the mouse, it will cause the xss to run

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: Bypassing Chrome XSS filter + Apache mod_security?
Posted by: serpentine85
Date: April 05, 2012 05:19PM

Chrome's XSS filter seems to filter all "on" attributes, including "onload" "onerror" "onmouseover" etc.

However, there is a current bug in Chrome's filter that allows the injection of only <script> tags in combination with some comments. And yet Apache mod_security seems to ONLY filter <script> tags in the URL, while not doing much about filtering attributes. mod_security blocks < script, < sCrIpT, and all derivations of that.

Odds are there's no way to slip in a "<script" past mod_security, and unless I find a new unpatched exploit with Chrome's filter (and I fiddled around with various things for a while, but all the bugs are found within <script> tag parsing and nothing else), this is probably gonna be impossible.

Options: ReplyQuote


Sorry, only registered users may post in this forum.