ben moeckel security research - http://badWebMasters.net - security advisories - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - badWebMasters security advisory #012: Passing script/html-filter with special chars (multibrowser) Discovery date: 2003-07-16 Author: ben moeckel (http://distressed.de) mailto: badwebmasters@online.de Description: When webbrowsers parse html they remove special chars, this behavior may be used by an malicious user to fool script/html-filters in webapplications. Detail: badWebMasters showed in their advisory #011 how to pass the "Snitz Forums"-scriptfilter with the Tab-Char (09). After "Opera" and "Mozilla"-users noticed that the provided exploit didn't work on their system I decided to start some new testings, with an amazing result! To detect what kind of special chars can be used in html- parameters I set up the following asp-page: -------------------------------------------2.asp--------- <%@LANGUAGE=JScript%><% %><script>function a(o){alert(o)}</script><% %><img src="javascript:a('test')" /><% for(i=0;i<256;++i){ uc = "%"+chk(i.toString(16)); %><img src="ja<%=unescape(uc)%>vascript:a(<%=i%>)" /> <% } function chk(sInp){if(sInp.length<2){ return String("0"+sInp) }else{return sInp}} %> --------------------------------------------------------- The page has been viewed with Mozilla, Opera and Internet- Explorer, the alert-box poped up in this order: Mozilla 1.3.1 (Win32): 0 (with restricions) Opera 7.11 (Win32): 0, 9, 10, 13, 173 Internet Explorer 5.0: 13, 10, 9, 0 Mozilla doesn't allow the window.alert()-method in "javascript:"- images, so I had to use my own function "a()". It also returned an error for char 9, 10 and 13: "Error: unterminated regular expression literal". Webmasters may be carefull with char 173 (ADh) that can be used in Opera only. And last but not least silly Internet Explorer: reversed order!? Test: http://badwebmasters.net/advisory/012/test.asp Workaround: This advisory adresses all webapps that use a badword filter, make sure all control-chars are removed before badwords are removed! References: badWebMasters advisory #011: Cross-Site-Scripting @ Snitz Forums - http://cert.uni-stuttgart.de/archive/bugtraq/2003/04/msg00247.html Feedback: Comments, suggestions, updates, anything else? -> mailto:badwebmasters@online.de Source: http://badwebmasters.net/advisory/012/ (text/html) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Copyright 2003 by ben moeckel (Benjamin Klimmek) for badWebMasters. http://badwebmasters.net
