*Newbie* XSS Cant escape

Discuss the many weaknesses of browser security and ways to mitigate the threat

*Newbie* XSS Cant escape

Post by davemint on Mon Nov 04, 2013 9:47 am
([msg=78038]see *Newbie* XSS Cant escape[/msg])

Hi all,

First off im a n00b so go easy on me. I have found a message variable that I can change on a site I'm currently testing. I can get the following output on screen <script>alert(1)</script> as text using this "http://examplesite.com/login.aspx?Msg=%uff1cscript%uff1ealert(1)%uff1c/script%uff1e". Yet I cant seem to escape to get it to actually run as a script. Its an ASP.net site.

From page source:
Code: Select all
<span id="msg" class="message"><script>alert(1)</script></span>


Any help would be appreciated (tutorials, direct help etc) or is this just not possible. I tried , < " etc yet it just outputs them as text.

Thanks
davemint
New User
New User
 
Posts: 1
Joined: Mon Nov 04, 2013 9:28 am
Blog: View Blog (0)


Re: *Newbie* XSS Cant escape

Post by WallShadow on Mon Nov 04, 2013 12:29 pm
([msg=78039]see Re: *Newbie* XSS Cant escape[/msg])

either one of two things are possible here:

your web browser is escaping the % in the url so that the web page translates it back to '%uff1', which is output to your browser, and your browser discplays it as '<'

or

the website ISN"T vulnerable and there is a script filtering any such attempts.

just because it shows up a <script> on the webpage, doesn't mean it's not escaped. to check that, go to the source. as for escaping it in the url, you can try posting you injection without escaping it, or fire up a proxy like ZAP and see what your browser is actually doing.

as for resources: OWASP should be more than enough if you understand what is going on: https://www.owasp.org/index.php/XSS_Fil ... heat_Sheet
User avatar
WallShadow
Contributor
Contributor
 
Posts: 625
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests