Pages

Tuesday, December 13, 2011

XSS techniques: defeat a target that only escapes single and double quotes

I assume that you found an entry point either, from
  1. the url
  2. an injectable 
    <input .../>
  3. or a form input, find functions on certain websites are very exploitable
Assume that the target accepts injections with slashes and escapes only single and double-quotes as a security measure:

Try to break the webpage with '-->', e.g. html comment termination,
inject your payload, e.g. <script>...</script>

Escaping double and single quotes:

a. 
(new String(1)).replace((new Number(1)).toString(10), /look no single or double quotes/);

b. 
String.fromCharCode(n1, n2, ..., nX)

c. replace (for compression)

Use this python snippet to prepare the payload:

[ ord(c) for c in "http://payload_in_decimal" ]

The drawback of this technique is that the decimal payload will be huge and it might overflow the input, i.e. url input on the browser, input-tag, form etc.
Posted by at No comments:
Subscribe to: Posts (Atom)