Just got back from DefCon 14… I need to post the photos and give a bit of a recap, but I’m way too tired for that. Vegas really wipes a guy out! But I got an interesting email about the XSS Cheat Sheet that I thought was worth responding to. Basically the question was, how exactly does the Cross Site Scripting Locator work (maybe it’s a typo that I keep repeating the same string over and over again). Well, no.

Let’s step through it. Take the first part:

‘;alert(String.fromCharCode(88,83,83))//

If there is a dynamically built JavaScript function that says something like: var a = ‘$user_supplied’; it will end up looking like this (the backslashes at the end are to remove any weird text that might follow the string which would cause JS errors instead of rendered code):

var a = ”;alert(String.fromCharCode(88,83,83))//’;

Meaning that you have now jumped out of the single quotes. Now let’s say it attempts to kill your quote by escaping it with a backlash. So that ‘ now becomes \’ it would now look like:

var a = ‘\’;alert(String.fromCharCode(88,83,83))//’;

Which would still encapsulate your string. So the next part tries to break out of that by adding a backslash:

var a = ‘\’;alert(String.fromCharCode(88,83,83))//\\’;alert(String.fromCharCode(88,83,83))//’;

So now the second backslash is slashed out, so it no longer escapes the single quote and the rest of the string will render outside the function. The order that you do this matters or you’ll end up inadvertently escaping your own quotes or causing JavaScript errors. Anyway, if you get that much you’ll see how the rest works… and then finally, if you were either able to jump out of the encapsulation, (or not but you weren’t in it to begin with) the last part of the function will fire. Clear as mud?

This might be incoherant, but whatever. I’m going to go drink some water, eat some food and get some sleep.

This entry was posted on Sunday, August 6th, 2006 at 9:43 pm and is filed under XSS, Webappsec. You can leave a response as well.