New PHPIDS vector
Monday, 1 June 2009
No new PHPIDS vectors for a while? So I thought I’d write a new one as I had 5 minutes spare while drinking my coffee. I used a new technique (as far as I’m aware) to make things easier 🙂 A very old feature in IE is to allow events to be declared as vbscript using the language attribute. This has been used in some very old code but never in XSS, it’s definitely not on the cheatsheet.
Anyway here is the vector:-
<b/alt="1"onmouseover=InputBox+1 language=vbs>test</b>
You have to rollover the bold “test” on the page to execute and allow scripted windows. The errors are related to the dom injections that are not valid because it’s a HTML injection. You could get round the scripted windows dialog by using other code but I only had 5 mins.
VBScript doesn’t require () to call functions and the plus converts 1 to a number (which it already is), this is used to bypass the need to use quotes within that particular attribute.
Note the XSS Filter in IE8 catches this vector.
No. 1 — June 1st, 2009 at 1:36 pm
awesome! what is needed to avoid the scripted window dialog?
No. 2 — June 1st, 2009 at 1:56 pm
@Thornmaker
Thanks 🙂
MsgBox could be used, it would require some filter evasion though because MsgBox is filtered. You could use chr function combined with GetRef to insert a payload in the dom. Or tricks like this:-
<b/alt=””onmouseover= MsgBox”XSS" language=vbs>test</b>
No. 3 — June 15th, 2009 at 11:23 am
works also on FF 3.0.11
<b/alt=”1″onmouseover=alert(1) language=VBS>test</b>
No. 4 — June 15th, 2009 at 11:23 am
works also on FF 3.0.11
<b/alt=â€1″onmouseover=alert(1) language=VBS>test</b>
No. 5 — June 15th, 2009 at 11:25 am
shorter- <b/alt=”1″onmouseover=alert(1)>test</b>
No. 6 — June 15th, 2009 at 11:37 am
sorry my bad, wrong interpretation 😉