Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Evading some input filters (of ' and ") in Firefox
Posted by: Gryphus
Date: September 12, 2012 03:36AM

Hi!

Testing an application that had filtered the quotes ' and ", but not < and >, I found that in Firefox you can close the <script> section from a variable enclosed by quotes '' or double quotes "".

For example, if you have:

<script type="text/javascript">
var injectable ='p1injectable';
</script>

Imagine that is not possible to inject a quote because is filtered, but the characters < and > are not filtered in any way, then you can inject the following:

p1</script><script>alert(1)</script>

having something like this:

<script type="text/javascript">
var injectable ='p1</script><script>alert(1)</script>';
</script>

In this case, Firefox closes the first <script>, and then it executes the alert. I tested it on Firefox 15. In chrome this does not work and I didnt tested it on IE.

Regards!

Mario

Options: ReplyQuote


Sorry, only registered users may post in this forum.