Security Advisories

Trustwave Press Releases

« ModSecurity Advanced Topic of the Week: Malware Link Removal | Main | Latest Web Hacking Incident Database (WHID) Entries »

07 April 2011


@Albinowax Assuming that angle brackets are filtered as well as equals signs and you're injecting into the middle of an HTML tag, I'd look to see if the encoding was specified when the page loads. If not, you could inject UTF-7 characters or some such thing to try to get the browser to interpret the content in a different encoding to bypass the filter (since it's operating on byte values). If that's a no-go too, I think you're SOL unless the attribute you're injecting into is particularly interesting (like the src attribute of an img tag, for instance).

Just out of interest, what would you do if = was filtered but ' wasn't? (Aside from inject autofocus)

Nice post - I particularly like using the .source attribute of a regex.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment