Luny had a few good articles over the weekend that are pretty good examples of how filter evasion can really easily bypass most content restrictions. He demonstrates it in Vampirefreaks and Blackplanet People just don’t understand the nuances of HTML. One thing I’ve noticed is that most people who say they know HTML really mean they know how to cludge together a webpage. If you can look at the source of this page and tell me what it does without running off to a search engine, then you know what HTML is. If not, you are in the first group. I’ll put together a post in the future about how I learned HTML the right way. The basic thing people get wrong is that XSS is JavaScript. Only in DOM based XSS is that true. The rest of the time it is about HTML injection that happens to instantiate JavaScript in most cases. But I digress.

The first post is regarding an XSS vulnerability in vampirefreaks.com and the second is regarding XSS in blackplanet.com. They both use the same basic vector which is to break up the JavaScript directive using a tab. That was one of the first vectors I came up with when I was writing my fuzzer actually. That and the null byte injection are the two that I think are the most powerful for HTML injection. Luny also URL escaped the alert box, because it too was blocked for some reason (if you ask me, that’s a retarded thing to block, but whatever). Both are pretty good examples of what is possible.

/RSnake

This entry was posted on Monday, June 12th, 2006 at 9:16 am and is filed under XSS, Webappsec. You can leave a response as well.