An interesting paper, by a Chinese hacker Pujun Li, translated by Insight-labs, on bypassing IE 8’s client-side Cross-Site Scripting (XSS) filters:
Basically some special characters in the web container to do the conversion process, if developers mistake concept in the process, it might be bypass IE XSS Filter.
In PHP, if website enable magic_quote_gpc = On in php.ini , as we known ‘(single-quote), “ (double quote), \ (backslash) and NULL characters are backslash as an escape (%00 => \0).
For my pentesting of the bypass IE Xss Filter, I feel the IE developers are don’t interest in IE Xss Filter against NULL characters are backslash ( \ ) escape character, I mean they aren’t depthly understanding of the conversion process.
1. xss.php demo source code:
<?php echo $_GET['x']?>
var x="<?php echo $_GET['z']?>"
2. HTML bypass case:
1. bypass the characters must be appears in intercept rules of IE Xss Filter , for example: intercept <script> also can be <script [here]>.
1.Need through multi-byte problem close a backslash ( \ )
2. //(%000000%0d is used to bypass the function intercept rules.
Feel free to contact me with @jackmasa
Comment by Kaylan on 2012-11-23 13:18:44
If you wrote an article about life we'd all reach enlightenemnt.