Javascript string truncation with DOM XSS

In IE, javascript strings can be truncated by NULL characters, but only when getValue is used.
 
Test code:
 
Alert ('abc \ 0 def ') If this is the case, it is spoofing at most, but with IE (<= 8) A parsing bug in php and [Magic quotes] in php are a dom xss.
 
IE parsing bug:
 
<A href = "<body/onload = alert (1)> click </a>
 
As mentioned in the XSS vectors I have previously shared, it is considered invalid when the parser cannot match the end definer of an attribute value in a tag, use it as text.
 
<A href = "changed to & lt; a href = & quot; <body/onload = alert (1)> resolved to html. PHP escape
 
Before 5.3.0, magic_quotes_gpc is enabled for php by default.
 
It not only converts characters such as "', but also Converts escape % 00 to \ 0
 
\ 0 in the javascript string will be escaped again.
 
Note: even if the magic quotes are disabled, developers generally use functions such as addslashes, which convert % 00 to \ 0.
 
So
 
Document. write (' \ 0"> ')
--------------------------------------------------------------------------------
 
 
Related comments:
 
 
--------------------------------------------------------------------------------
 
Xhm1133 |
 
Practical tips :)
 
Horseluke |
 
PHP output escaping is generally based on htmlspecialchars... addslashes, which is only related to the database. The output escaping must not be audited by code.
 
But... has anyone studied bypassing strip_tags? Seeing someone using this for output escape, I feel insecure, but I can't say why, let alone Why...
 
 
 
Sogili (-_-) Web crazy scientist // mmme. me (-_-) |
 
@ Horseluke well, but htmlspecialchars won't convert % 00. It would be more fun if % 00 is not processed.
 
 
 
Horseluke |
 
@ Sogili: I don't understand. I'm not familiar with XSS. Please explain it...
 
 
 
Sogili (-_-) Web crazy scientist // mmme. me (-_-) |
 
@ Horseluke IE can parse <[0x00] I [0x00] 0 m [0x00] 0g src = xx: x o [0x00] nerror = alert (1)> many filters can be bypassed, so it is dangerous not to process [0x00. I only know about XSS, and I think the security impact on the server is not small.
 
 
 
_ Edevil (sexual interest is the best teacher.) |
 
Web scientists are good, but only Internet Explorer is available.
 
 
 
Gainover (">_< '/& \ Have you ever seen any cross-site characters?) |
 
You can try to write a scenario on your computer.
 
From wooyun