Closing an HTML element without using literal slashes
In this article, I will discuss ways to close an HTML element without using literal slashes. This vulnerability in an application allows a user-supplied filename to be echoed without sanitizing the filename.
For example, a file named test-<script>alert("evil");.txt
will result in that text echoed into the XHTML. The problem is that the <script>
tag can’t be closed because the filename can’t contain a /
.
I have tried several ways of encoding the slash so that it can appear in the filename but still be interpreted by the HTML parser as a closing tag, but with no luck. The characters are inserted literally into the HTML without any intermediate encoding/decoding.
However, there are some techniques you can try to exploit this vulnerability. Here are a few suggestions:
-
Try
<img src="" onerror="alert(0)">
to execute a script without user interaction. -
Create a giant element that covers most of the page and use
onmouseover
to exploit the vulnerability. -
Try
onreadystatechange
oronfocus="alert(0)" autofocus
to exploit the vulnerability in specific browsers. -
On Opera, try
<table background=javascript:alert(0)>
to execute a script. -
Try
<img src="javascript:alert(0)">
and<iframe src="javascript:alert(0)">
to execute a script, although this is unlikely to work on most browsers. -
If the server doesn’t specify the content-encoding type in the headers of the HTTP response, try UTF-7 shenanigans (only works on older browsers).
Note that these techniques are highly browser-dependent. If you need further assistance, I recommend asking on Sla.ckers, where knowledgeable individuals can help you with this type of vulnerability.
For more information and advanced XSS vectors, I suggest checking out RSnake’s XSS cheat sheet, Gareth Heyes’ blog, and the Sla.ckers forum.