Single and Double Quotes Escapes
alf sent me an email about how single and double quotes are a pretty easy way to cause XSS injection. I had to ask him for more details, because that just wasn’t clear to my satisfaction, so then he sent me this XSS exploit library. His concept is that if you put a single quote and then a double quote and then your XSS vector it will bypass a lot of filters, IE: http://www.example.com/param.php?123′”{XSS}
After verifying that most of them will still working, it appears there are two problems that are causing this to work. The first problem is that people assume if something is encapsulated in quotes it is not vulnerable to cross site scripting. That’s definitely not the case, especially if you insert a quote and break out of it.
Even escaping quotes doesn’t help you, because there is no such thing as an HTML escape charachter (and if there were that could cause all sorts of other problems). So if the tag looks like: <TAG parameter=”variable” … and you insert ‘”{XSS} into the tag, you can jump out of it because it looks like: <TAG parameter=”‘”{XSS}” … and even if they put backslashes before the quotes, it still ends up being <TAG parameter=”\’\”{XSS}” … which ends up still breaking out (change the single quotes to double quotes and vice versa and it works the same). Now that you have broken out of the quotes you can use event handlers inside the tag, or you can try to break out of the tag as well with an end angle bracket. Either will work.
The second problem is that people take the parameter and don’t sanitize it for use in applications. In one of the cases it is just an error condition saying that the file you attempted to open …path…/’”{XSS}.php is not valid. Of course, there are probably other vulnerabilities there since it is command execution that is failing based on an unsanitized variable (eesh!). Scary stuff.
So the moral of the story is that single quote double quote combination can often help you find your way out of encapsulation. I’m always a little fearful of using things like this in automation because they have a greater tendancy to find SQL injections which can end up breaking applications, so for black box pen testing make sure it’s not on a live system, because the likelyhood of bringing it down is much greater.
June 30th, 2006 at 9:10 am
[…] So I would say, based on that experience, an equals sign and a slash seem like good things to want to test for if you want to have a higher liklihood of a successful attack (especially if you want 100% coverage with all browsers since the forementioned attack wouldn’t work in Firefox because of the JavaScript directive). The simple cross site scripting string doesn’t test for either. So maybe is a likely choice? Now that also doesn’t test if you can jump out of quotes. But maybe that doesn’t matter because it assumes you’ll have to try to jump out of the quotes yourself. But if it were me, I’d try alf’s trick of putting in a single and double quote: ‘” […]
October 17th, 2008 at 9:06 pm
How to pass stage 3 on http://xss-quiz.int21h.jp/stage-3.php?sid=11ef28cc62d36bf3da321926ca15e6b7efff1985 quiz. I will appreciate you help.
Thanks
Hydra