Hackvertor now decodes css escapes

Friday, 16 January 2009

I posted a vector to the web app sec list because they were discussing expression XSS. Ivan Ristic naturally used Hackvertor to try and decode the vector automatically. But he exposed a bug in the auto decoder. Well it’s now fixed yay! Thanks Ivan. I found a couple of errors in my reg exp syntax and I’ve optimised them much better.

The main problem is that Hackvertor has no way of knowing if the code is octal escapes or css hex escapes because they look identical but the result can be different. Unfortunately I can’t see a way around this and I might have to accept this as a limitation of the auto decoder. Please leave a comment if you can think of anything.

Here it is in action:-
Auto decoder

The entry 'Hackvertor now decodes css escapes' was posted on January 16th, 2009 at 1:57 pm and last modified on January 16th, 2009 at 2:13 pm, and is filed under hackvertor, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

One Response to “Hackvertor now decodes css escapes”

  1. Gareth Heyes writes:
    No. 1 — January 16th, 2009 at 2:06 pm

    Never mind 🙂

    It works now, Hackvertor checks for a style= and then assumes css escapes or if it doesn’t exist converts octal

«
»