Gonzalez Posted November 18, 2010 Report Posted November 18, 2010 ##############################################Title : XSS, how to bypass filters ##Author : k3nz0 ##Contact : o9p@hotmail.fr ##Category : Papers ##Website : k3nz0.com ###############################################################Tunisian######################################Hacker##################################################################This lessons is devided into 3 parts : [1] Introduction[2] Types of filters[3] Conclusion[1] Introduction : Nowadays, most of "securised" websites, make filters to don't allow cross site scripting "injections", however, we can bypassthese filters by using the methods shown below [2] Types of filters : We will learn, how to bypass these xss filters : [+]Bypass magic_quotes_gpc (if it's on ) [+]Bypass with cryption in full html [+]Bypass with Obfuscation [+]Bypass with trying around method############################################[+]Bypass magic_quotes_gpcWhen magic_quotes_gpc is on, it means that the server doesn't allow, ", / and ' (it depends)to bypass it we use : String.fromCharCode()We write our code, in the () crypted in ASCIIexemple : String.fromCharCode(107, 51, 110, 122, 48)(Here I crypted k3nz0 in ascii : 107, 51, 110, 122, 48And we use it : <script>String.fromCharCode(107, 51, 110, 122, 48)</script>We will see : k3nz0 We bypassed magic_quotes_gpc #############################################[+] Bypass with cryption in full html : Very simple, we have to encode our code in full HTTP!Our code : <script>alert('i am here')</script>And in full HTTP : %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%69%20%61%6D%20%68%65%72%65%27%29%3C%2F%73%63%72%69%70%74%3ENow, you can inject it ! Notice that you can use the tool "Coder" to do encode it in full HTTP We bypassed filter.#############################################[+] Bypass with Obfuscation : Very simple too, this filter, don't allows for exemple these words : -script-alertTo bypass it, you change "script" with for exemple "sCriPt", and "alert" with "ALerT" ! For exemple : <ScriPt>ALeRt("i am here")</scriPt>We bypassed the filter.##############################################[+] Bypass with trying around method : Generally, it is in the searchs scripts, we just add "> at the begining to close current fields : exemple : http://target.com/search.php?search="><script>alert("hello")</script>We bypassed the filter.###############################################[3] Conclusion : It was, how we can bypass xss filters, and how to inject our code This lesson is explained by k3nz0Thank you for reading GREETZ : ALLAH ! Aymanos, v1r, kannibal615 , born to kill, & more.. ################################################ Quote
oXyGeN Posted November 18, 2010 Report Posted November 18, 2010 and more here : https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf Quote