Javascript string truncation with DOM XSS

Source: Internet
Author: User

In IE, javascript strings can be truncated by NULL characters, but only when getValue is used.
 
Test code:
 
Alert ('abc \ 0 def ') If this is the case, it is spoofing at most, but with IE (<= 8) A parsing bug in php and [Magic quotes] in php are a dom xss.
 
IE parsing bug:
 
<A href = "<body/onload = alert (1)> click </a>
 
As mentioned in the XSS vectors I have previously shared, it is considered invalid when the parser cannot match the end definer of an attribute value in a tag, use it as text.
 
<A href = "changed to & lt; a href = & quot; <body/onload = alert (1)> resolved to html. PHP escape
 
Before 5.3.0, magic_quotes_gpc is enabled for php by default.
 
It not only converts characters such as "', but also Converts escape % 00 to \ 0
 
\ 0 in the javascript string will be escaped again.
 
Note: even if the magic quotes are disabled, developers generally use functions such as addslashes, which convert % 00 to \ 0.
 
So
 
Document. write (' \ 0"> ')
--------------------------------------------------------------------------------
 
 
Related comments:
 
 
--------------------------------------------------------------------------------
 
Xhm1133 |
 
Practical tips :)
 
Horseluke |
 
PHP output escaping is generally based on htmlspecialchars... addslashes, which is only related to the database. The output escaping must not be audited by code.
 
But... has anyone studied bypassing strip_tags? Seeing someone using this for output escape, I feel insecure, but I can't say why, let alone Why...
 
 
 
Sogili (-_-) Web crazy scientist // mmme. me (-_-) |
 
@ Horseluke well, but htmlspecialchars won't convert % 00. It would be more fun if % 00 is not processed.
 
 
 
Horseluke |
 
@ Sogili: I don't understand. I'm not familiar with XSS. Please explain it...
 
 
 
Sogili (-_-) Web crazy scientist // mmme. me (-_-) |
 
@ Horseluke IE can parse <[0x00] I [0x00] 0 m [0x00] 0g src = xx: x o [0x00] nerror = alert (1)> many filters can be bypassed, so it is dangerous not to process [0x00. I only know about XSS, and I think the security impact on the server is not small.
 
 
 
_ Edevil (sexual interest is the best teacher.) |
 
Web scientists are good, but only Internet Explorer is available.
 
 
 
Gainover (">_< '/& \ Have you ever seen any cross-site characters?) |
 
You can try to write a scenario on your computer.
 
From wooyun

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.