Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
filter evasion
Posted by: raif
Date: September 24, 2006 06:58PM

i'm helping a buddy of mine secure his site against XSS, SQL injection, etc since it actually helps provide part of his livelihood. he wrote a filter for a couple pages to filter out html tags in attributes for the url string and such.

long story short, i have just about figured out how to get around his efforts. he has a search text box on his site and when the search results are displayed it redisplays the search text in another text input. code looks like this:

<input name="search" type="text" id="search" size="50" value="search text">

i tried to simply escape the value parameter, which works, but he filters out the damn equal sign(=)! so when i try onMouseOver="..." i get onMouseOver"..."

i've tried encoding the equal sign many different ways and nothing seems to work. i feel like i'm so close!

Options: ReplyQuote
Re: filter evasion
Posted by: Kyran
Date: September 24, 2006 07:02PM

Ouch. Filtering the = sign? I'd want to see the site to understand the filtering better. Don't worry. I'll be nice.

- Kyran

Options: ReplyQuote
Re: filter evasion
Posted by: WhiteAcid
Date: September 24, 2006 07:02PM

I may sound stupid here but did you check " and > ?

Obviously if he'd give the filtering code that'd be awesome.

Oh... if he'd using PHP then $str = htmlentities($str,ENT_QUOTES); should do the trick. Also ideally use the charset ISO-8859-1

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: filter evasion
Posted by: rsnake
Date: September 24, 2006 09:21PM

If you can escape out of the quotes and potentially put text elsewhere on the page you can do something like: " a='

And then if you can put in quotes elsewhere on the page you can enter something like: ' onmouseover=alert("XSS")

But not having equals severely limits your ability to inject HTML. But if you can put in a end angle bracket as WhiteAcid said you don't need an equals sign.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: filter evasion
Posted by: Kyran
Date: September 24, 2006 09:35PM

But that brings another issue, how can it be turned into a viable exploit if there is no equals sign? other than an alert?

- Kyran

Options: ReplyQuote
Re: filter evasion
Posted by: rsnake
Date: September 24, 2006 10:01PM

Via something like <script>eval(String.FromCharCode(...))</script>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: filter evasion
Posted by: Kyran
Date: September 24, 2006 10:19PM

Oh my. But that may make an extremely large URI.

- Kyran

Options: ReplyQuote
Re: filter evasion
Posted by: WhiteAcid
Date: September 25, 2006 03:58AM

Aah the magic of tinyurl :)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: filter evasion
Posted by: kirke
Date: September 25, 2006 05:22AM

end of the story:
if you get alert() to work somehow, then you ontrol the browser (see rsnake's eval example)

Options: ReplyQuote
Re: filter evasion
Posted by: raif
Date: September 25, 2006 07:05AM

well, sorry to put an end to the party here, but he filters out < and > so it doesn't appear to me that i'll be able to exploit this part of the page. if only he hadn't gotten rid of the = sign.

Options: ReplyQuote
Re: filter evasion
Posted by: rsnake
Date: September 25, 2006 12:15PM

Does he get rid of it in all contexts or just being surrounded by text? I mean is it regex that's like /[a-z]=//gi or is it /=//gi ?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: filter evasion
Date: September 25, 2006 09:05PM

Quote

Oh... if he'd using PHP then $str = htmlentities($str,ENT_QUOTES); should do the trick. Also ideally use the charset ISO-8859-1

Not necessarily. It is possible to trick htmlentities with the variable width attacks RSnake's talked about. He also has to make sure (via iconv()) that the string is well-formed UTF-8. Bonus points if he gets rid of non-SGML codepoints.

Options: ReplyQuote


Sorry, only registered users may post in this forum.