Nytro Posted December 11, 2011 Report Posted December 11, 2011 [h=1]Escaping Escapes[/h]April 20, 2011 By Justin Barron 2 CommentsSometimes a server will escape special characters that are injected: For instance, injecting a " character and having it reflect as \":Injection: xss" Reflection:[INDENT]x="[U][B]xss[/B][/U]\[U][B]"[/B][/U]";y=42;[/INDENT]Fail.Sometimes, ironically enough, you can outsmart filters by using their own tricks against them. Try escaping their escape character like this:Injection: xss\" Reflection:[INDENT]x="[U][B]xss\[/B][/U]\[U][B]"[/B][/U]";y=42;[/INDENT]Success!However, if the server escapes your injected \ as \\, this technique will not work:Injection: xss\" Reflection:[INDENT]x="[U][B]xss[/B][/U]\[U][B]\[/B][/U]\[U][B]"[/B][/U]";y=42;[/INDENT]Not fun.If you’re able to break out by escaping their escape, you’ll need to blend back in with something other than a ", because the escaping process breaks the syntax:Injection: xss\"*alert(1)*\" Reflection:[INDENT]x="[U][B]xss\[/B][/U]\[U][B]"*alert(1)*\[/B][/U]\[U][B]"[/B][/U]";y=42;[/INDENT]The *\\ following alert(1) is not valid syntax and will cause an error.So…Injection: xss\"*alert(1)// Reflection:[INDENT]x="[U][B]xss\[/B][/U]\[U][B]"*alert(1)//[/B][/U]";y=42;[/INDENT]Commenting out the rest is your best bet, unless they escape your // like \/\/. When this happens, I don’t think there’s much you can do.Escaping escapes reminds me of the classic movie moment, when a bad guy gets the drop on a good guy, but then another good guy gets the drop on the bad guy. It always cracks me up when this evasion technique works.Sursa: https://blog.whitehatsec.com/escaping-escapes/ Quote
