New PHPIDS vector

No new PHPIDS vectors for a while? So I thought I’d write a new one as I had 5 minutes spare while drinking my coffee. I used a new technique (as far as I’m aware) to make things easier 🙂 A very old feature in IE is to allow events to be declared as vbscript using the language attribute. This has been used in some very old code but never in XSS, it’s definitely not on the cheatsheet.

Anyway here is the vector:-

<b/alt="1"onmouseover=InputBox+1 language=vbs>test</b>

POC

You have to rollover the bold “test” on the page to execute and allow scripted windows. The errors are related to the dom injections that are not valid because it’s a HTML injection. You could get round the scripted windows dialog by using other code but I only had 5 mins.

VBScript doesn’t require () to call functions and the plus converts 1 to a number (which it already is), this is used to bypass the need to use quotes within that particular attribute.

Note the XSS Filter in IE8 catches this vector.

6 Responses to “New PHPIDS vector”

  1. thornmaker writes:

    awesome! what is needed to avoid the scripted window dialog?

  2. Gareth Heyes writes:

    @Thornmaker

    Thanks 🙂

    MsgBox could be used, it would require some filter evasion though because MsgBox is filtered. You could use chr function combined with GetRef to insert a payload in the dom. Or tricks like this:-

    <b/alt=””onmouseover= MsgBox”XSS" language=vbs>test</b>

  3. whelq writes:

    works also on FF 3.0.11

    <b/alt=”1″onmouseover=alert(1) language=VBS>test</b>

  4. wheelq writes:

    works also on FF 3.0.11
    <b/alt=”1″onmouseover=alert(1) language=VBS>test</b>

  5. wheelq writes:

    shorter- <b/alt=”1″onmouseover=alert(1)>test</b>

  6. wheelq writes:

    sorry my bad, wrong interpretation 😉