SecurityFocus

XSS - Double Quote break out and White Space filtered May 28 2009 06:13AM
arvind doraiswamy (arvind doraiswamy gmail com) (2 replies)

Re: XSS - Double Quote break out and White Space filtered May 29 2009 06:42PM
Florian Weimer (fw deneb enyo de)

RE: XSS - Double Quote break out and White Space filtered May 28 2009 09:00AM
PortSwigger (mail portswigger net) (1 replies)

Have you checked whether backticks are allowed? IE interprets backticks in
the same way as quotes. So you may be able to use something like:

``onclick=alert(1)

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of arvind doraiswamy
Sent: 28 May 2009 07:13
To: webappsec (at) securityfocus (dot) com [email concealed]
Subject: XSS - Double Quote break out and White Space filtered

Hey Guys,
We're trying to understand XSS Regex and evasion techniques better.
We're stuck at 2 variations though.

Problem 1:
Here's what is allowed:

( ) : ; &

Everything else is filtered or replaced. The HTML looks like this:
<input type=text name=p1 size=50 value=>

Note that the value isn't enclosed by quotes which means I can break
out of it with a space with the event handling technique. However the
problem again is that spaces are also caught and replaced with a
blank. The same is true of " as well. The < and > are filtered as well
which means we cant start a new tag either. So we're stuck. Now AFAIK
these are the only ways to bypass a filter:

a) Add another attribute to the Input tag
b) Break out of the Input tag and add your own scripts
c) Put in something in the value= which natively acts as a script (I'm
not sure what)

Is there anything else? How all can you perform XSS with < > " '
(whitespace with all variants) all blocked off using any of the 3
above methods?

Problem 2:
Everything in Problem 1 is blocked off including & as well. The input
into a text box goes between " " this time though. So if I type "abc"
it goes between the double quotes. This input is again used by a
document.write(" ") between <script> </script> tags later in the page.
So if I write abc in an input box , its echoed in 2 places - a) In the
text box itself b) In the document.write(" ") call later on the
page. Effectively this means everything is treated as text in both
places - this includes scripts, javascript: function pointer tricks
everything. Remember I can't break out again due to the " becoming
" and < > becoming < >. So how do you do this?

All inputs/feedback are welcome. Please let me know if further inputs
are needed.

Thanks
Arvind

[ reply ]

Re: XSS - Double Quote break out and White Space filtered May 28 2009 02:46PM
arvind doraiswamy (arvind doraiswamy gmail com) (1 replies)

RE: XSS - Double Quote break out and White Space filtered May 29 2009 02:48AM
Jeff Williams (planetlevel gmail com)