[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] R: XSS and input tag

From: "Vicari Marco Vincenzo (UGIS - UniCredit Group)" <MarcoVincenzo.Vicari@xxxxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] R: XSS and input tag
Date: Fri, 13 Nov 2009 10:57:28 +0100

Thanks for your help,
The following attack pattern:

?param=val%22%20style=%22width:%20expression%28eval%28String.fromCharCode%2897,108,101,114,116,40,39,88,83,83,39,41,59%29%29%29;%22%20x=%22

Works with IE7 (tested) and IE6.
I needed to use the eval() function because the application intercept the alert() function. It is a good example of application filter... :-)

The attack doesn't work with FF 3.x
I tried other suggested pattern, but the onmouseover function requires a user interaction and with a hidden field doesn't work.
Thanks a lot.

---------------------------------------------
Marco Vincenzo Vicari
Application Security & Fraud Management
ICT Security
Infrastructure and Customer Services
Unicredit Global Information Services
Via Ugo La Malfa 50
90100 Palermo, Italia
Tel. +39 091 608 6332
Cell. +39 335 7978086
mailto:marco.vicari@xxxxxxxxxxxxxxxxx
http://www.unicreditgroup.eu
---------------------------------------------
Please consider the environment before printing this e-mail

-----Messaggio originale-----
Da: Vicari Marco Vincenzo (UGIS - UniCredit Group) [mailto:MarcoVincenzo.Vicari@xxxxxxxxxxxxxxxxx]
Inviato: mercoledì 11 novembre 2009 17.53
A: websecurity@xxxxxxxxxxxxx
Oggetto: [WEB SECURITY] XSS and input tag

Hi All,
I read that it is possible to inject code in Web Application using the input tag when the "<" or ">" characters are escaped.
If the application has the following tag:

The attacker can't use the pattern: ?foo="><script>alert('xss')</scrip>
Because "<" and ">" are escaped.
I read (sla.ckers.org) that the attacker can use the pattern: val" type=image src=a onerror=eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41,59)) x="

I tried this attack pattern but it doesn't work, I used IE7 and FF 3.5.
Where is the error?

Thanks for help.

This e-mail is confidential and may also contain privileged information. If you are not the intended recipient you are not authorised to read, print, save, process or disclose this message. If you have received this message by mistake, please inform the sender immediately and delete this e-mail, its attachments and any copies.
Any use, distribution, reproduction or disclosure by any person other than the intended recipient is strictly prohibited and the person responsible may incur penalties.
Thank you!

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] XSS and input tag
  - From: Vicari Marco Vincenzo (UGIS - UniCredit Group)

Prev by Date: Re: [WEB SECURITY] XSS and input tag
Next by Date: RE: [WEB SECURITY] AppScan Enterprise competitors
Previous by thread: Re: [WEB SECURITY] XSS and input tag
Next by thread: Re: [WEB SECURITY] XSS and input tag
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site