Exploits: Passing JavaScript/HTML Filters with Special Chars
Datum: 19.08.2003
--------------------------------------------------------

Info:
When web browsers parse HTML they remove certain non-alpha 
numeric characters, this behavior may be used by an 
malicious user to fool JavaScript/HTML filters, allowing 
the execution of malicious HTML or JavaScript code.

Detai:
To detect what kind of special chars can be used in HTML 
parameters Ben has set up the following asp-page: 
--------2.asp--------- 
<%@LANGUAGE=JScript%>
<% %>
<% %>
<% for(i=0;i<256;++i){ 
uc = "%"+chk(i.toString(16)); %> 
<% 
} 
function chk(sInp){
if(sInp.length<2){ 
return String("0"+sInp) 
}
else{return sInp}
} 
%> 
---------- The page has been viewed with Mozilla, 
Opera, and Internet Explorer, an alert-box will pop up in 
this order: * Mozilla 1.3.1 (Win32): 0 (with restrictions) * 
Opera 7.11 (Win32): 0, 9, 10, 13, 173 * Internet Explorer 
5.0: 13, 10, 9, 0 Mozilla doesn't allow the 
window.alert()-method in "javascript:" images, so Ben had 
to use his own function "a()". It also returned an error 
for char 9, 10 and 13: "Error: unterminated regular 
expression literal". 

Demonstration site: 
http://badwebmasters.net/advisory/012/test.asp