XSS - Double Quote break out and White Space filtered
|
View:
New views
10 Messages
—
Rating Filter:
Alert me
|
 |
XSS - Double Quote break out and White Space filtered
by arvind doraiswamy
::
Rate this Message:
Hey Guys,
We're trying to understand XSS Regex and evasion techniques better. We're stuck at 2 variations though. Problem 1: Here's what is allowed: ( ) : ; & Everything else is filtered or replaced. The HTML looks like this: <input type=text name=p1 size=50 value=> Note that the value isn't enclosed by quotes which means I can break out of it with a space with the event handling technique. However the problem again is that spaces are also caught and replaced with a blank. The same is true of " as well. The < and > are filtered as well which means we cant start a new tag either. So we're stuck. Now AFAIK these are the only ways to bypass a filter: a) Add another attribute to the Input tag b) Break out of the Input tag and add your own scripts c) Put in something in the value= which natively acts as a script (I'm not sure what) Is there anything else? How all can you perform XSS with < > " ' (whitespace with all variants) all blocked off using any of the 3 above methods? Problem 2: Everything in Problem 1 is blocked off including & as well. The input into a text box goes between " " this time though. So if I type "abc" it goes between the double quotes. This input is again used by a document.write(" ") between <script> </script> tags later in the page. So if I write abc in an input box , its echoed in 2 places - a) In the text box itself b) In the document.write(" ") call later on the page. Effectively this means everything is treated as text in both places - this includes scripts, javascript: function pointer tricks everything. Remember I can't break out again due to the " becoming " and < > becoming < >. So how do you do this? All inputs/feedback are welcome. Please let me know if further inputs are needed. Thanks Arvind |
|
|
RE: XSS - Double Quote break out and White Space filtered
by PortSwigger
::
Rate this Message:
Have you checked whether backticks are allowed? IE interprets backticks in
the same way as quotes. So you may be able to use something like: ``onclick=alert(1) -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of arvind doraiswamy Sent: 28 May 2009 07:13 To: webappsec@... Subject: XSS - Double Quote break out and White Space filtered Hey Guys, We're trying to understand XSS Regex and evasion techniques better. We're stuck at 2 variations though. Problem 1: Here's what is allowed: ( ) : ; & Everything else is filtered or replaced. The HTML looks like this: <input type=text name=p1 size=50 value=> Note that the value isn't enclosed by quotes which means I can break out of it with a space with the event handling technique. However the problem again is that spaces are also caught and replaced with a blank. The same is true of " as well. The < and > are filtered as well which means we cant start a new tag either. So we're stuck. Now AFAIK these are the only ways to bypass a filter: a) Add another attribute to the Input tag b) Break out of the Input tag and add your own scripts c) Put in something in the value= which natively acts as a script (I'm not sure what) Is there anything else? How all can you perform XSS with < > " ' (whitespace with all variants) all blocked off using any of the 3 above methods? Problem 2: Everything in Problem 1 is blocked off including & as well. The input into a text box goes between " " this time though. So if I type "abc" it goes between the double quotes. This input is again used by a document.write(" ") between <script> </script> tags later in the page. So if I write abc in an input box , its echoed in 2 places - a) In the text box itself b) In the document.write(" ") call later on the page. Effectively this means everything is treated as text in both places - this includes scripts, javascript: function pointer tricks everything. Remember I can't break out again due to the " becoming " and < > becoming < >. So how do you do this? All inputs/feedback are welcome. Please let me know if further inputs are needed. Thanks Arvind |
|
|
Re: XSS - Double Quote break out and White Space filtered
by arvind doraiswamy
::
Rate this Message:
This worked a treat, thanks. What does this mean though? So if I take
an example: <input type=text name=p1 size=50 value=> Now say I type ``onclick=alert(1) inside the text box this becomes.. <input type=text name=p1 size=50 value=``onclick=alert(1)> Does this mean I'm saying - The value is Null (no value between the backticks) followed by the event handler? Also any ideas about Problem 2? How do you break out of something enclosed in double quotes with the same character escapes as Problem 1? Thanks Arvind On Thu, May 28, 2009 at 2:30 PM, PortSwigger <mail@...> wrote: > Have you checked whether backticks are allowed? IE interprets backticks in > the same way as quotes. So you may be able to use something like: > > ``onclick=alert(1) > > > -----Original Message----- > From: listbounce@... [mailto:listbounce@...] On > Behalf Of arvind doraiswamy > Sent: 28 May 2009 07:13 > To: webappsec@... > Subject: XSS - Double Quote break out and White Space filtered > > Hey Guys, > We're trying to understand XSS Regex and evasion techniques better. > We're stuck at 2 variations though. > > Problem 1: > Here's what is allowed: > > ( ) : ; & > > Everything else is filtered or replaced. The HTML looks like this: > <input type=text name=p1 size=50 value=> > > Note that the value isn't enclosed by quotes which means I can break > out of it with a space with the event handling technique. However the > problem again is that spaces are also caught and replaced with a > blank. The same is true of " as well. The < and > are filtered as well > which means we cant start a new tag either. So we're stuck. Now AFAIK > these are the only ways to bypass a filter: > > a) Add another attribute to the Input tag > b) Break out of the Input tag and add your own scripts > c) Put in something in the value= which natively acts as a script (I'm > not sure what) > > Is there anything else? How all can you perform XSS with < > " ' > (whitespace with all variants) all blocked off using any of the 3 > above methods? > > Problem 2: > Everything in Problem 1 is blocked off including & as well. The input > into a text box goes between " " this time though. So if I type "abc" > it goes between the double quotes. This input is again used by a > document.write(" ") between <script> </script> tags later in the page. > So if I write abc in an input box , its echoed in 2 places - a) In the > text box itself b) In the document.write(" ") call later on the > page. Effectively this means everything is treated as text in both > places - this includes scripts, javascript: function pointer tricks > everything. Remember I can't break out again due to the " becoming > " and < > becoming < >. So how do you do this? > > All inputs/feedback are welcome. Please let me know if further inputs > are needed. > > Thanks > Arvind > > > > |
|
|
RE: XSS - Double Quote break out and White Space filtered
by Jeff Williams-13
::
Rate this Message:
In problem 1, since there are no quotes, there are lots of characters that
will terminate an attribute, like %00, %08, CR, LF, VT, space, tab, etc... I think you're out of luck on problem 2. You *can* break out of a quoted string inside javascript without the corresponding quote by "injecting up" and closing the entire script block with </script>. Unfortunately for you that won't work because you can't generate a tag. See the OWASP XSS Prevention Cheatsheet for some more background on what characters do what where. http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_S heet. --Jeff > -----Original Message----- > From: listbounce@... > [mailto:listbounce@...] On Behalf Of arvind doraiswamy > Sent: Thursday, May 28, 2009 10:46 AM > To: PortSwigger > Cc: webappsec@... > Subject: Re: XSS - Double Quote break out and White Space filtered > > This worked a treat, thanks. What does this mean though? So if I take > an example: > > <input type=text name=p1 size=50 value=> > > Now say I type ``onclick=alert(1) inside the text box this becomes.. > > <input type=text name=p1 size=50 value=``onclick=alert(1)> > > Does this mean I'm saying - The value is Null (no value between the > backticks) followed by the event handler? > > Also any ideas about Problem 2? How do you break out of something > enclosed in double quotes with the same character escapes as Problem > 1? > > Thanks > Arvind > > On Thu, May 28, 2009 at 2:30 PM, PortSwigger <mail@...> > wrote: > > Have you checked whether backticks are allowed? IE interprets > backticks in > > the same way as quotes. So you may be able to use something like: > > > > ``onclick=alert(1) > > > > > > -----Original Message----- > > From: listbounce@... > [mailto:listbounce@...] On > > Behalf Of arvind doraiswamy > > Sent: 28 May 2009 07:13 > > To: webappsec@... > > Subject: XSS - Double Quote break out and White Space filtered > > > > Hey Guys, > > We're trying to understand XSS Regex and evasion techniques better. > > We're stuck at 2 variations though. > > > > Problem 1: > > Here's what is allowed: > > > > ( ) : ; & > > > > Everything else is filtered or replaced. The HTML looks like this: > > <input type=text name=p1 size=50 value=> > > > > Note that the value isn't enclosed by quotes which means I can break > > out of it with a space with the event handling technique. However the > > problem again is that spaces are also caught and replaced with a > > blank. The same is true of " as well. The < and > are filtered as > well > > which means we cant start a new tag either. So we're stuck. Now AFAIK > > these are the only ways to bypass a filter: > > > > a) Add another attribute to the Input tag > > b) Break out of the Input tag and add your own scripts > > c) Put in something in the value= which natively acts as a script > (I'm > > not sure what) > > > > Is there anything else? How all can you perform XSS with < > " ' > > (whitespace with all variants) all blocked off using any of the 3 > > above methods? > > > > Problem 2: > > Everything in Problem 1 is blocked off including & as well. The input > > into a text box goes between " " this time though. So if I type "abc" > > it goes between the double quotes. This input is again used by a > > document.write(" ") between <script> </script> tags later in the > page. > > So if I write abc in an input box , its echoed in 2 places - a) In > the > > text box itself b) In the document.write(" ") call later on the > > page. Effectively this means everything is treated as text in both > > places - this includes scripts, javascript: function pointer tricks > > everything. Remember I can't break out again due to the " becoming > > " and < > becoming < >. So how do you do this? > > > > All inputs/feedback are welcome. Please let me know if further inputs > > are needed. > > > > Thanks > > Arvind > > > > > > > > > |
|
|
Re: XSS - Double Quote break out and White Space filtered
by Florian Weimer
::
Rate this Message:
* arvind doraiswamy:
> Problem 1: > Here's what is allowed: > > ( ) : ; & Is "=" allowed as well? Without that, it's going to be difficult, I think. With =, you can use an onmouseover event handler and a style attribute to enlarge the input field and make it transparent (so that the event handler actually fires). Both can be &-encoded to bypass the filter. This will work in any browser; direct script injection into style attributes is quite browser-specific. |
|
|
Re: XSS - Double Quote break out and White Space filtered
by arvind doraiswamy
::
Rate this Message:
Thanks Jeff and Florian.
@Jeff: All the other whitespace characters were blocked off as well. The backticks one worked on this one though so Problem1 is solved. @Florian: = was allowed and we managed to do this with an onChange event handler. There might be a better event handler too though, didn't try since we got it with this one. Regarding Problem 2, I've gone through the OWAS Prevention sheet in great detail. There are even recommendations there saying we should put untrusted data between " " to secure it. Considering that and all the characters which are blocked off I do wonder how one could bypass this. I'm sure there is an XSS on this because its part of a war game which we started playing to improve understanding: Here's a snapshot of the related code: <form action="blahblah.php" method="post"> document.write: <input type="text" name="p1" size="60" value="ggggg"> <input type="submit" value="reflect"> <pre><script>document.write("gggggg");</script></pre> </form> So as you see all reflection points are in double quotes and all key characters are blocked off as mentioned earlier. An input in the text box of: < > : ; " ' ` = ( ) / \ * is reflected back as: < > : ; " ' ` = ( ) / \ * What can I do with this? Cheers Arvind p.s... Remember its definitely there..its a wargame ;) |
|
|
Re: XSS - Double Quote break out and White Space filtered
by Florian Weimer
::
Rate this Message:
* arvind doraiswamy:
> Here's a snapshot of the related code: > > <form action="blahblah.php" method="post"> > document.write: <input type="text" name="p1" size="60" value="ggggg"> > <input type="submit" value="reflect"> > <pre><script>document.write("gggggg");</script></pre> > </form> Is this some sort of homework? > So as you see all reflection points are in double quotes and all key > characters are blocked off as mentioned earlier. > > An input in the text box of: < > : ; " ' ` = ( ) / \ * is reflected back as: > < > : ; " ' ` = ( ) / \ * You need to target the document.write() call. |
|
|
Re: XSS - Double Quote break out and White Space filtered
by arvind doraiswamy
::
Rate this Message:
Ha Ha no, its not homework at all; those days are gone. I edited the
code a little before I posted. Its actually a Level in a wargame targeted only at XSS. Doing that is a nice way to improve skill. Yes I understand I have to target document.write() but it outputs everything back into double quotes, so how do I do it? Thnx anyway... Arvind On Sun, May 31, 2009 at 8:25 PM, Florian Weimer <fw@...> wrote: > * arvind doraiswamy: > >> Here's a snapshot of the related code: >> >> <form action="blahblah.php" method="post"> >> document.write: <input type="text" name="p1" size="60" value="ggggg"> >> <input type="submit" value="reflect"> >> <pre><script>document.write("gggggg");</script></pre> >> </form> > > Is this some sort of homework? > >> So as you see all reflection points are in double quotes and all key >> characters are blocked off as mentioned earlier. >> >> An input in the text box of: < > : ; " ' ` = ( ) / \ * is reflected back as: >> < > : ; " ' ` = ( ) / \ * > > You need to target the document.write() call. > |
|
|
|
|
|
Re: XSS - Double Quote break out and White Space filtered
by Marc-André Laverdière-2
::
Rate this Message:
You can have a look at the Google Browser Security Handbook:
http://code.google.com/p/browsersec/wiki/Main It may not exactly answer your question, but its a useful reference and could help you get your answer :) -- Marc-André Laverdière Software Security Scientist Innovation Labs, Tata Consultancy Services Hyderabad, India arvind doraiswamy wrote: > @Portswigger: The <IMG SRC> did work..thnx. > > @Mugdha: The < and > was blocked. We tried your suggestion, Unicode > and that worked too. I'd swear we'd tried that out though :rollseyes. > Thanks anyway. > > @Walid: No I'm not designing the wargame though that may be a nice > idea going forward :D. > > The final bypass hence turns out to be document.write("\u003cimg src=a > onerror=alert(1)\u003e") > > A final question though. How does the browser interpret Unicode and > Hex and all that? As in yes..I understand there is intelligence built > in to it but how does it decide..Right...This is Unicode. This is URL > Encoded. This is Hex..This is normal text. Is it just by the \u \x % > ...?? Or is it something deeper. Are there a few good reads? > > Thanks > Arvind > |
| Free embeddable forum powered by Nabble | Forum Help |
