A talk by
Ashar Javed (@soaj1664ashar)
X OWASP Spain Chapter Meeting, 17th November 2016
"xxxxxxxx'yyyyy</img was an XSS probe paylod
Injected "><img src=x onerror=prompt(1);> and found that
<, >, () and spaces were filtered as can be seen in the screen-shot
'-confirm(1)-' was the attack payload
SAP took almost 9 months in releasing a patch for this unauthenticated DoS in NetWeaver Portal.
7 times listed in SAP's security researchers' acknowledgement page: http://scn.sap.com/docs/DOC-55451
<img src=x onerror=confirm(1)// was the attack payload
Further, clients/customers and about pages help in getting a big picture. The choice of code search engine may varies or depends upon you.
</script><script>confirm(1)</script> was an XSS attack payload
More information on their customers is available at http://www.poski.com/reference/
'-confirm(1)-' was XSS attack payload.
'-confirm`1`-' was the attack payload.
Fixing this case is not easy because of the involvement of browsers' decoding order. Further, the developers should take care of the correct escaping order ... One of the SAP's NetWeaver Portal XSS (security note: 2182154) discussed earlier was related to this case.
see https://plus.google.com/+AlexisImperialLegrandGoogle/posts/f9gm2G2BH5g + https://www.youtube.com/watch?v=oAYjZy1Nuyg + https://respectxss.blogspot.de/2015/12/a-hardcore-xss.html (two real examples from the wild discussed in blog)
Note: In this case, developers're doing escaping for ' and " quotes but in an HTML context while they missed the most dangerous character in an HTML context i.e., ,<. In an HTML context, please do encoding instead of escaping.
Note: In this case, developers're doing escaping for ' and " quotes but in an attribute context. In an attribute context, please do encoding instead of escaping.
Note: The reflection was in input tag's value attribute but HTML comments were around the input tag. Though " has been encoded properly but HTML comments (i.e., <!-- -->) can play an important rule here.
No one knows but recently ...