Paid Advertising is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Evading some input filters (of ' and ") in Firefox
Posted by: Gryphus
Date: September 12, 2012 03:36AM


Testing an application that had filtered the quotes ' and ", but not < and >, I found that in Firefox you can close the <script> section from a variable enclosed by quotes '' or double quotes "".

For example, if you have:

<script type="text/javascript">
var injectable ='p1injectable';

Imagine that is not possible to inject a quote because is filtered, but the characters < and > are not filtered in any way, then you can inject the following:


having something like this:

<script type="text/javascript">
var injectable ='p1</script><script>alert(1)</script>';

In this case, Firefox closes the first <script>, and then it executes the alert. I tested it on Firefox 15. In chrome this does not work and I didnt tested it on IE.



Options: ReplyQuote

Sorry, only registered users may post in this forum.