InfoSec Forums InfoSec Forums Web Application Penetration Testing CSRF/XSS Bypass XSS filtering using HEX Encoding

This topic contains 0 replies, has 1 voice, and was last updated by do son do son 3 weeks, 5 days ago.

  • Author
    Posts
  • #4574
    do son
    do son
    Moderator
    • Topics:202
    • Comments:51
    • Super Member
    • ★★★★

    XSS is a common vulnerabilities in Web vulnerability analysis.  In many cases, it was easy to enter without filtering easily, but most of the services analyzed had strong filtering. However, there are rules in this filtering as well, and hackers can easily bypass filtering rules. In this circumstance, I would like to see a filtering bypass through HEX Encoding.

    1. What is HEX Encoding?

    HEX encoding is a way to represent hex data on the web via string “& # x”. It is called hex encoding to make it comfortable.

    2. Insert simple XSS filter and general XSS syntax
    The principle is simple. If you append 41 & # x to the hex value representing A, it means & # x41, that is, text A.
    Most XSS filters use the special characters & lt; & Gt; Etc. I’d like to convert to an attacker being able to use the script,
    this section is verified if the filtering for user input, an attacker can bypass the filtering rules by using the encoded data.

    For example, consider the following XSS filtering function.

    <?
    function XSSFilter($inputString)
    {
    $output = str_replace(“<“,”&lt;”,$inputString);
    $output = str_replace(“>”,”&gt;”,$output);
    return $output;
    }
    ?>

    <?
    $sqlIn = $_GET[‘title’];
    $sqlIn = XSSFilter($sqlIn);
    db_connect($sqlIn);

    ?>

    It’s a code that has been written roughly, so it may not actually run. However, in the above case, if you send a value to the title parameter with get and write to the post through db_connect <> Is filtered for the string. Since most bulletin boards require tagging, we usually apply the XSS filter in the insert section.

    /?title=<script>alert(1)</script> When you put the attack syntax in the form of the following, the posts will be filtered and appear as below.
    &lt;script&gt;alert(45)&lt;/script&gt;

    3. XSS through HEX Encoding
    Let’s try inserting the XSS syntax in a slightly different way than the one above. In the same way, we put the script syntax in the title parameter, but we put it in hex.
    /?title=%26%23x003C;script%26%23x003E;alert(1)%26%23x003C;/script%26%23x003E;

    The XSSFilter function that is created in the above transmission is not filtered by the str_replace function. If the hex encoding is released when the DB is saved and exposed on the bulletin board, the following complete script syntax appears.

    <script>alert(1)</script>

    4. Bypassing XSS

    In fact, I do not think there is anything about XSS bypassing methods. By default, the encoding is widely known, but actually I think the most important thing that seems to be a function of the XSS filter rules. BBT (BlackBoxTest) in the inferred rules through repeated testing and speculation, etc. because you can not see the code, you can succeed in bypassing the rules XSS attacks hayeoyaman find loopholes in it.

     

    No system is truly secure!

You must be logged in to reply to this topic.