Over the last few weeks I’ve had a number of exchanges with Yosuke Hasegawa and Cheng Peng Su about various encoding issues within IE7.0 and IE6.0. Unfortunately I am fresh out of IE6.0 installs, so I have nowhere to test some of these theories. I sorta have to take it on faith that it works, or maybe someone out there can verify for me, but apparently Yosuke has found some interesting CSS obfuscation techniques. Here is the English version if it helps.

I was pretty frustrated during this testing because it really feels like there is more here, but without IE6.0 more than half of the tests don’t work properly. However, the ones that do work work in any encoding method which is nice. Here’s an example of some of the obfuscation:

<div style="{ left:&#x5c0065&#x5c0078pression( this.style.background='red')}">try me in IE</div>

What you are seeing is an HTML string creating a CSS escaped string that turns into the character in question. \ turns into a backslash. The backslash turns the resultant four character string into the ASCII equivalent. Pretty tricky and makes life quite a bit more difficult for testing these strings.

I’ve got to say, I’m actually really happy with all of the work that Yosuke and Cheng have been putting into these encoding methods, but the language barrier (Yosuke speaks Japanese and Cheng speaks Chinese) is making it difficult to do tests. As we come up with more, I’ll let everyone know. It’s just slow going at the moment. So while I admit that some of these things came out a few weeks back, mostly it’s been me who’s taken too much time actually testing all the various encoding methods against the strings they provided before making the one above that you see today. Anyway, great work from Yosuke!

This entry was posted on Thursday, November 16th, 2006 at 2:54 pm and is filed under XSS, Webappsec. You can leave a response as well.