Closing an HTML element without using literal slashes

In this article, I will discuss ways to close an HTML element without using literal slashes. This vulnerability in an application allows a user-supplied filename to be echoed without sanitizing the filename.

For example, a file named test-<script>alert("evil");.txt will result in that text echoed into the XHTML. The problem is that the <script> tag can’t be closed because the filename can’t contain a /.

I have tried several ways of encoding the slash so that it can appear in the filename but still be interpreted by the HTML parser as a closing tag, but with no luck. The characters are inserted literally into the HTML without any intermediate encoding/decoding.

However, there are some techniques you can try to exploit this vulnerability. Here are a few suggestions:

  • Try <img src="" onerror="alert(0)"> to execute a script without user interaction.

  • Create a giant element that covers most of the page and use onmouseover to exploit the vulnerability.

  • Try onreadystatechange or onfocus="alert(0)" autofocus to exploit the vulnerability in specific browsers.

  • On Opera, try <table background=javascript:alert(0)> to execute a script.

  • Try <img src="javascript:alert(0)"> and <iframe src="javascript:alert(0)"> to execute a script, although this is unlikely to work on most browsers.

  • If the server doesn’t specify the content-encoding type in the headers of the HTTP response, try UTF-7 shenanigans (only works on older browsers).

Note that these techniques are highly browser-dependent. If you need further assistance, I recommend asking on Sla.ckers, where knowledgeable individuals can help you with this type of vulnerability.

For more information and advanced XSS vectors, I suggest checking out RSnake’s XSS cheat sheet, Gareth Heyes’ blog, and the Sla.ckers forum.

Leave a Reply

Your email address will not be published. Required fields are marked *