WebApp Sec mailing list archives
XSS - Double Quote break out and White Space filtered
From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Thu, 28 May 2009 11:43:23 +0530
Hey Guys, We're trying to understand XSS Regex and evasion techniques better. We're stuck at 2 variations though. Problem 1: Here's what is allowed: ( ) : ; & Everything else is filtered or replaced. The HTML looks like this: <input type=text name=p1 size=50 value=> Note that the value isn't enclosed by quotes which means I can break out of it with a space with the event handling technique. However the problem again is that spaces are also caught and replaced with a blank. The same is true of " as well. The < and > are filtered as well which means we cant start a new tag either. So we're stuck. Now AFAIK these are the only ways to bypass a filter: a) Add another attribute to the Input tag b) Break out of the Input tag and add your own scripts c) Put in something in the value= which natively acts as a script (I'm not sure what) Is there anything else? How all can you perform XSS with < > " ' (whitespace with all variants) all blocked off using any of the 3 above methods? Problem 2: Everything in Problem 1 is blocked off including & as well. The input into a text box goes between " " this time though. So if I type "abc" it goes between the double quotes. This input is again used by a document.write(" ") between <script> </script> tags later in the page. So if I write abc in an input box , its echoed in 2 places - a) In the text box itself b) In the document.write(" ") call later on the page. Effectively this means everything is treated as text in both places - this includes scripts, javascript: function pointer tricks everything. Remember I can't break out again due to the " becoming " and < > becoming < >. So how do you do this? All inputs/feedback are welcome. Please let me know if further inputs are needed. Thanks Arvind
Current thread:
- XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- RE: XSS - Double Quote break out and White Space filtered PortSwigger (May 28)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- RE: XSS - Double Quote break out and White Space filtered Jeff Williams (May 28)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 28)
- Re: XSS - Double Quote break out and White Space filtered Florian Weimer (May 31)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 31)
- Re: XSS - Double Quote break out and White Space filtered Florian Weimer (May 31)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (Jun 02)
- Message not available
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (Jun 08)
- Re: XSS - Double Quote break out and White Space filtered Marc-André Laverdière (Jun 08)
- Re: XSS - Double Quote break out and White Space filtered arvind doraiswamy (May 31)
- RE: XSS - Double Quote break out and White Space filtered PortSwigger (May 28)