In problem 1, since there are no quotes, there are lots of characters that
will terminate an attribute, like %00, %08, CR, LF, VT, space, tab, etc...

I think you're out of luck on problem 2. You *can* break out of a quoted
string inside javascript without the corresponding quote by "injecting up"
and closing the entire script block with </script>. Unfortunately for you
that won't work because you can't generate a tag.

See the OWASP XSS Prevention Cheatsheet for some more background on what
characters do what where.
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Che
at_S
heet.

--Jeff

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of arvind doraiswamy
> Sent: Thursday, May 28, 2009 10:46 AM
> To: PortSwigger
> Cc: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: Re: XSS - Double Quote break out and White Space filtered
>
> This worked a treat, thanks. What does this mean though? So if I take
> an example:
>
> <input type=text name=p1 size=50 value=>
>
> Now say I type ``onclick=alert(1) inside the text box this becomes..
>
> <input type=text name=p1 size=50 value=``onclick=alert(1)>
>
> Does this mean I'm saying - The value is Null (no value between the
> backticks) followed by the event handler?
>
> Also any ideas about Problem 2? How do you break out of something
> enclosed in double quotes with the same character escapes as Problem
> 1?
>
> Thanks
> Arvind
>
> On Thu, May 28, 2009 at 2:30 PM, PortSwigger <mail (at) portswigger (dot) net [email concealed]>
> wrote:
> > Have you checked whether backticks are allowed? IE interprets
> backticks in
> > the same way as quotes. So you may be able to use something like:
> >
> > ``onclick=alert(1)
> >
> >
> > -----Original Message-----
> > From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
> > Behalf Of arvind doraiswamy
> > Sent: 28 May 2009 07:13
> > To: webappsec (at) securityfocus (dot) com [email concealed]
> > Subject: XSS - Double Quote break out and White Space filtered
> >
> > Hey Guys,
> > We're trying to understand XSS Regex and evasion techniques better.
> > We're stuck at 2 variations though.
> >
> > Problem 1:
> > Here's what is allowed:
> >
> > ( ) : ; &
> >
> > Everything else is filtered or replaced. The HTML looks like this:
> > <input type=text name=p1 size=50 value=>
> >
> > Note that the value isn't enclosed by quotes which means I can break
> > out of it with a space with the event handling technique. However the
> > problem again is that spaces are also caught and replaced with a
> > blank. The same is true of " as well. The < and > are filtered as
> well
> > which means we cant start a new tag either. So we're stuck. Now AFAIK
> > these are the only ways to bypass a filter:
> >
> > a) Add another attribute to the Input tag
> > b) Break out of the Input tag and add your own scripts
> > c) Put in something in the value= which natively acts as a script
> (I'm
> > not sure what)
> >
> > Is there anything else? How all can you perform XSS with < > " '
> > (whitespace with all variants) all blocked off using any of the 3
> > above methods?
> >
> > Problem 2:
> > Everything in Problem 1 is blocked off including & as well. The input
> > into a text box goes between " " this time though. So if I type "abc"
> > it goes between the double quotes. This input is again used by a
> > document.write(" ") between <script> </script> tags later in the
> page.
> > So if I write abc in an input box , its echoed in 2 places - a) In
> the
> > text box itself   b) In the document.write(" ") call later on the
> > page. Effectively this means everything is treated as text in both
> > places - this includes scripts, javascript: function pointer tricks
> > everything. Remember I can't break out again due to the " becoming
> > " and < > becoming < >. So how do you do this?
> >
> > All inputs/feedback are welcome. Please let me know if further inputs
> > are needed.
> >
> > Thanks
> > Arvind
> >
> >
> >
> >
>

[ reply ]