These general attacks are extremely cool and much Kudos to the people who discovered them. I’ve been looking at specific attacks which get round these filters. By specific I mean they only target specific websites. So how does one get around XSS filtering. The thing I realised (someone may have helped me realise this, I don’t know/can’t remember) is that if any data undergoes translation from input to output then the browser can’t protect against it as the browser can’t be aware of the translation that it undergoes. This isn’t exactly amazing or groundbreaking but it is interesting. The very first thing I tried was to get an XSS attack working for chrome on http://www.motobit.com/util/base64-decoder-encoder.asp The first step was to encode the attack into a base64 string. </textarea><script>alert(‘hi’)</script> gets encoded to PC90ZXh0YXJlYT48c2NyaXB0PmFsZXJ0KCdoaScpPC9zY3JpcHQ+ If you decode that string you will get an alert saying hi. So success! (Auto submit)
I like these attacks because it firmly places the responsibility of protecting the page back on the web developer. Browser filtering should not be an excuse for poor security. If you are a web developer who takes data and manipulates it in someway you need to be aware of these types of attacks and always escape your output.