Other notation for < in case of XSS

[greg]

Hi all,

while performing and web app audit, I found a part in this app, where probably only open tags are filtered. In case of injecting something like "><script>alert('XSS')</script>
alert('XSS')</script> is displayed.
The question for me is, is there another way to transport <script, especially the < (as it looks like [script is displayed correctly) anyhow else (except html encoded), so that is interpreted by the browser correctly?

Thanks in advance.

[.mario]

Two things to try:

1st: HTML comments - fool the app - fool the browser.

2nd: Attribute injections - changing <input type=text to <input type=image and applying an onerror/onload or just try to apply event handlers, style attributes or whatever is necessary to exec JS.

It might be considered rather indiscreet to ask for an example URL but I am curios - so.. you have an example URL (here/PM/email)?

Grx,
.mario

[greg]

Hi Mario,

thanks for the hint with the eventhandler, I just wonder why I did not think about that myself ;)
But there was no other possibility in thoughts of encoding the text so that the browser interprets it anyway?

Greetz
greg

[greg]

hmm did not find the PM button, so regarding your last question, unfortunately I am not allowed to. But any special interests for you question, maybe I can help you with that then ;)

[.mario]

Let's rename PM to IM - my bad :)

It depends on server, application and maybe other things if you can generate a < with alternative encodings. Try to play around with several common encodings and check what the app does. Maybe you can foll the filter by just using <scr<script>ipt> or comparable.