String replace is actually a really common problem. Blwood discovered some XSS vulnerabilities in Tikiwiki. Here’s the premise. If the string “<SCRIPT>” is removed and you can use that to your advantage by entering something like “<sc<SCRIPT>ript>” which when “<SCRIPT>” is removed you get “<script>”. That’s bad. Bad, and common.

I ran across this a few days ago. This is a really good example of several real world XSS filter evasions pulled straight from my site that Luny was able to sucessfully launch against MyYearBook.com. Definitely worth a look if you want to see practical usage of some pretty obfuscated XSS vectors, if you ask me. Nice job, Luny.

This particular variant was submitted by Łukasz Pilorz and was based partially off of Ozh’s protocol resolution bypass. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The “.j” is valid, regardless of the MIME type because the browser knows it in context of a SCRIPT tag.