No new PHPIDS vectors for a while? So I thought I’d write a new one as I had 5 minutes spare while drinking my coffee. I used a new technique (as far as I’m aware) to make things easier 
A very old feature in IE is to allow events to be declared as vbscript using the language attribute. This has been used in some very old code but never in XSS, it’s definitely not on the cheatsheet.
Anyway here is the vector:-
<b/alt="1"onmouseover=InputBox+1 language=vbs>test</b>
You have to rollover the bold “test” on the page to execute and allow scripted windows. The errors are related to the dom injections that are not valid because it’s a HTML injection. You could get round the scripted windows dialog by using other code but I only had 5 mins.
VBScript doesn’t require () to call functions and the plus converts 1 to a number (which it already is), this is used to bypass the need to use quotes within that particular attribute.
Note the XSS Filter in IE8 catches this vector.
Comments 6
awesome! what is needed to avoid the scripted window dialog?
Posted 01 Jun 2009 at 1:36 pm ¶@Thornmaker
Thanks
MsgBox could be used, it would require some filter evasion though because MsgBox is filtered. You could use chr function combined with GetRef to insert a payload in the dom. Or tricks like this:-
<b/alt=”"onmouseover= MsgBox”XSS" language=vbs>test</b>
Posted 01 Jun 2009 at 1:56 pm ¶works also on FF 3.0.11
<b/alt=”1″onmouseover=alert(1) language=VBS>test</b>
Posted 15 Jun 2009 at 11:23 am ¶works also on FF 3.0.11
Posted 15 Jun 2009 at 11:23 am ¶<b/alt=”1″onmouseover=alert(1) language=VBS>test</b>
shorter- <b/alt=”1″onmouseover=alert(1)>test</b>
Posted 15 Jun 2009 at 11:25 am ¶sorry my bad, wrong interpretation
Posted 15 Jun 2009 at 11:37 am ¶Post a Comment