Javascript: if(alert(1)); // executed i(alert(1)); // not executed (TypeError: i is not a function)
It's worth to note that Firefox (5) does execute the inside function, whereas Chrome (13) and IE(9) do not. Talk about browser consistency... On Mon, Aug 8, 2011 at 9:38 AM, CnCxzSec衰仔 <[email protected]> wrote: > > a good example to see the "incorrect handling": > <!--[if<img/onerror=alert(1) src=]> //executed. > <!--[i<img/onerror=alert(1) src=]> //not executed. > > > On Mon, Aug 8, 2011 at 2:23 PM, Christian Sciberras <[email protected]>wrote: > >> I think it's worth to note that MSIE expects an *expression* in the >> conditional (it's a feature). >> Hence even if you disable direct XSS, there still would probably be >> more ways an *expression* could be used to write HTML code. >> >> As such, I don't think they should be "fixing" this (since it is >> intended), but rather warn developers about it's existence. >> >> On the other hand, if developers are writing unfiltered HTML inside >> this conditional, I think there are worse issues than this. >> I've always believed in the philosophy of making browsers work as >> expected instead of expecting them to comply and fix my issues. >> Especially if the browser in question is Internet Explorer ;-). >> >> Cheers, >> Chris. >> >> >> >> On Mon, Aug 8, 2011 at 5:59 AM, CnCxzSec衰仔 <[email protected]> wrote: >> > this is a normal use, but <!--[if<img/onerror=alert(1) src=]> is an >> unnormal >> > use. IE should regard this as an HTML comment instead of a >> downlevel-hidden >> > comment, so the HTML tags inside the COMMENT should not be evaled. >> > On Mon, Aug 8, 2011 at 11:30 AM, Andrew Farmer <[email protected]> >> wrote: >> >> >> >> On 2011-08-07, at 19:53, CnCxzSec衰仔 wrote: >> >> > hi all, here is an interesting trick to perform an xss attack with IE >> >> > browsers. >> >> > >> >> > some rich text applications such as email and blog, may provide HTML >> >> > uses >> >> > but have a policy to block the on-event execution to prevent the XSS >> >> > attack. >> >> > However, this applications may also allow the HTML notes uses,for >> >> > instance >> >> > "<!-- -->" >> >> >> >> Any such applications are likely to also be vulnerable to a simpler >> attack >> >> based on "downlevel-hidden" conditional comments: >> >> >> >> <!--[if IE]> >> >> <script>anything you want can go here, presumably</script> >> >> <![endif]--> >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
