Follow us on Twitter!
Become the change you seek in the world. - Gandhi
Thursday, April 17, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 21
Guests Online: 19
Members Online: 2

Registered Members: 82822
Newest Member: TheBunter
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

challenge in xss


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-01-09 23:46
The other day i read a tut about xss and how to bypass some securities.i was wondering what if the input was filtered and the text containing the word script , both in upper and lower , would be added with a [] ,that would lead to <[script]> or double pair , that would lead to <[[script]]> .. what can be done about it ?
Author

RE: challenge in xss

K3174N 420
Member



Posts: 296
Location: In a grow room, growing cannabis.
Joined: 14.09.08
Rank:
Hacker Level 1
Warn Level: 69
Posted on 16-01-09 23:49
Probably not much... Try adding escape chars.


Thanks Yours31f!
img114.imageshack.us/img114/1497/keiran420cy2.jpg
Make poverty history... Cheaper drugs now! - Frank gallagher
[small][center]Einstein climbs to the top of Mt. Sinai to get close enough to talk to God.
Looking up, he asks the Lord...
"God, what does a million years mean to you?"
The Lord replies, "A minute."
"Einstein asks, "And what does a million pounds mean to you?"
The Lord replies, "A penny."
Einste
http://keiran420.ueuo.com/
Author

RE: challenge in xss


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-01-09 00:08
K3174N 420 wrote:
Probably not much... Try adding escape chars.

... Goofy.

Not all XSS requires it to be wrapped in script tags... depending on where the content is rendered on the page, some XSS can operate merely by escaping an HTML attribute in an existing element. Go to phpsec.org.


Author

RE: challenge in xss


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-01-09 01:17
BlaX wrote:
...would be added with a [] ,that would lead to <[script]> or double pair , that would lead to <[[script]]> .. what can be done about it ?



Code
<[script]>alert(/xss/)</[script]>


and
Code
<[script]>alert(/xss/)<[/script]>


both don't work. Apparently the browser doesn't recognize the script command because of the extra brackets. Neither do
Code
<[]script[]>alert(/xss/)<[]/script[]>


and
Code
<[]script[]>alert(/xss/)</[]script[]>


.

If you're thinking about escaping tags then just find out what tag you need to escape and figure out what to use to escape it, it's pretty simple. :)



Author

RE: challenge in xss


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-01-09 21:45
thank u guys for the replies

oh well i i've been messing xss for a while now, and am surprised at just how many sites are vulnerable. most of them seem change the < > to < and >. is there some way to get around this thing ?

i searched a lot about this but didnt come up with much result.hope u can find some way
Author

RE: challenge in xss

fashizzlepop
Member



Posts: 482
Location: Old folks home.
Joined: 08.04.08
Rank:
Moderate
Posted on 17-01-09 22:02
Have yo0u heard of the FF add-on XSS-me? That uses a bunch of common XSS tests to see if a site is vulnerable. It is a good way to see how many different types of attacks there are.

Also, you might already know this, in order to really understand how input is sanitized, you have to read the source before and after. That way you can see what you changed and what you might want to try and change.


"The definition of insanity is doing the same thing over and over again and expecting different results.
~Albert Einstein~


csullivan.codeinspire.net/images/boomsig2.png
fashizzlepop@gmail.com http://csullivan.codeinspire.net/
Author

RE: challenge in xss


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-01-09 22:15
about that xss-me i think ive seen it in bt3's browser.
and yeah i know about checking the code to see whats going on with ur script.thats why i asked if there was a way to bypass the filters that change < to & alte
Author

RE: challenge in xss


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-01-09 23:32
Heres an example of XSS without the script tags:
http://www.gnucit. . .s-attacks/

If you google advanced XSS you'll learn pretty quickly.