arvind doraiswamy wrote:
> @Portswigger: The <IMG SRC> did work..thnx.
>
> @Mugdha: The < and > was blocked. We tried your suggestion, Unicode
> and that worked too. I'd swear we'd tried that out though :rollseyes.
> Thanks anyway.
>
> @Walid: No I'm not designing the wargame though that may be a nice
> idea going forward :D.
>
> The final bypass hence turns out to be document.write("\u003cimg src=a
> onerror=alert(1)\u003e")
>
> A final question though. How does the browser interpret Unicode and
> Hex and all that? As in yes..I understand there is intelligence built
> in to it but how does it decide..Right...This is Unicode. This is URL
> Encoded. This is Hex..This is normal text. Is it just by the \u \x %
> ...?? Or is it something deeper. Are there a few good reads?
>
> Thanks
> Arvind
>
http://code.google.com/p/browsersec/wiki/Main
It may not exactly answer your question, but its a useful reference and
could help you get your answer :)
--
Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India
arvind doraiswamy wrote:
> @Portswigger: The <IMG SRC> did work..thnx.
>
> @Mugdha: The < and > was blocked. We tried your suggestion, Unicode
> and that worked too. I'd swear we'd tried that out though :rollseyes.
> Thanks anyway.
>
> @Walid: No I'm not designing the wargame though that may be a nice
> idea going forward :D.
>
> The final bypass hence turns out to be document.write("\u003cimg src=a
> onerror=alert(1)\u003e")
>
> A final question though. How does the browser interpret Unicode and
> Hex and all that? As in yes..I understand there is intelligence built
> in to it but how does it decide..Right...This is Unicode. This is URL
> Encoded. This is Hex..This is normal text. Is it just by the \u \x %
> ...?? Or is it something deeper. Are there a few good reads?
>
> Thanks
> Arvind
>
[ reply ]