Submitted by Franz Sedlmaier, adding extraneous open angle brackets can defeat certain forms of XSS filters by looking for matching pairs, instead of parsing using string comparisons after de-obfuscation.

I made a major improvement to the XSS calculator today, where now it can properly handle linebreaks in the ASCII text. Before I was seeing some errors in the way it both encoded and decoded those special chars in hex and decimal but it should work as expected now. The funny thing is you can see the difference in IE and Firefox where Firefox sees a linebreak as %0A and IE sees it as %OD%OA. Enjoy.

This one comes straight from an exploit found by Renaud Lifchitz that uses the old div background-image inside a style tag but he took a different approach and unicoded the string. I modified his original exploit slightly to also encode the url parameter as well. Very cool, as it doesn’t require the use of the JavaScript directive or script tag, which always makes it harder to catch.

Russell Jones sent me a link to his site http://www.xssfools.com where he exploits flaws in a number of large news sites to put up phoney articles on them as an April fools prank. April fools everyone! Close those XSS holes!

Justin Lavoie came up with a rather interesting DOM based XSS vector for MySpace using String.fromCharCode inside of an improperly sanitized parameter. Pretty tricky. Nice job, Justin!

almfnod came up with this one. Yes, Google has been running into a bit of bad luck lately with their engineering department. They really need to hire some actual webappsec security guys someday. And no, I don’t mean me.

Dan Kuykendall has a new podcast about webappsec that covers XSS. It’s a good basic primer in audio form which is nice if you just want to point a newbie in the right direction.

Like the diminutive code contests, often you have to fit the vector in a very small space to be validated. Sometimes this can be overcome and sometimes it can’t, but this link was a pretty good example of where he was able to get around it. There are other ways, sure, but this is a real world example which is kinda fun.

I realized that I had added TABLE tags, but had missed TD tags inside of TABLEs. Oops. Anyway, I added that and cleaned up some wording here and there. Just cleaning house today.

There was an interesting vulnerability found in Yahoo! Mail by Cheng Peng Su. It uses a style obfuscation method pulled almost directly from the XSS Cheat sheet. It just goes to show that sometimes the most complex forms of obfuscation really are worth discussing, because XSS filters are often highly flawed.