I got this letter yesterday and it’s so good, it’s worth posting in entirety and un-edited. David Byrne found a way to add additional non-visible characters to the list of non-alpha-non-digit cross site scripting vector. The most interesting of which is the backspace character. I’ve toyed with this character but haven’t been able to think of a reasonable use for it to evade security filters before. David Byrne found one:

First, thanks for the XSS Cheat Sheet, it’s a great resource for esoteric attacks. I was doing some testing with a simple fuzzing script and found something that I couldn’t locate on your page. You imply part of it with this:

Non-alpha-non-digit XSS. While I was reading the Firefox HTML parser I found that it assumes a non-alpha-non-digit is not valid after an HTML keyword and therefor considers it to be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace. For example “<SCRIPT\s” != “<SCRIPT/XSS\s”:

Given this string:

<script$x>alert(”XSS”)</script$x>

IE 6 will execute it if $x = \x00, \x09, \x0b, \x0c, \x20, or \x2f. Firefox 1.5.0.7 will work if $x = \x08, \x09 or \x20. Perl’s regex engine doesn’t match \x08 (backspace) or \x0b (vertical tab) to “\s”, allowing “<SCRIPT\s” to be bypassed in a similar fashion. Sorry, if this is already on your site and I missed it.

Thanks,
David Byrne

Pretty cool stuff if you ask me. David is right, I’ve mentioned all the other characters at one point or another but never talked about backspace. If regex is looking for something like this m/<script([\&;\`'"\\\|*?~<>^\(\)\[\]\{\}\$\n\r\0\t…whatever…])*>/ig; (I was guilty of writing code like this early in my career) then the regex will fail. Having taken everything into account that would seem to be reasonable still isn’t enough to stop non-digit-non-alpha. Here is where regex starts really having problems. I’m a huge fan of regex for it’s power, but the fuzzy syntax within HTML elements in the various browsers just makes this far too complex.

This entry was posted on Wednesday, November 1st, 2006 at 10:05 am and is filed under XSS, Webappsec. You can leave a response as well.