Hackvertor now decodes css escapes
Friday, 16 January 2009
I posted a vector to the web app sec list because they were discussing expression XSS. Ivan Ristic naturally used Hackvertor to try and decode the vector automatically. But he exposed a bug in the auto decoder. Well it’s now fixed yay! Thanks Ivan. I found a couple of errors in my reg exp syntax and I’ve optimised them much better.
The main problem is that Hackvertor has no way of knowing if the code is octal escapes or css hex escapes because they look identical but the result can be different. Unfortunately I can’t see a way around this and I might have to accept this as a limitation of the auto decoder. Please leave a comment if you can think of anything.
Here it is in action:-
Auto decoder
No. 1 — January 16th, 2009 at 2:06 pm
Never mind 🙂
It works now, Hackvertor checks for a style= and then assumes css escapes or if it doesn’t exist converts octal