0

I need Javascript regular expression for the following Hex string:

fileArg=ABC&Detail=%2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%
20%74%59%70%45%3d%74%45%78%54%2f%76%42%73%43%72%49%70%54%3e%4d%73%67%42%
6f%78%28%31%35%32%36%36%29%3c%2f%73%43%72%49%70%54%3e

The hex part above is the following in ASCII:

--></sCrIpT><sCrIpT tYpE=tExT/vBsCrIpT>MsgBox(15266)</sCrIpT>

Can you help write a Javascript regular expression which matches the above hex string?

Thanks

Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563
A.R
  • 409
  • 8
  • 21

1 Answers1

1

It looks like something a hacker put together to insert the following line of VBScript into a page :

<script type=text/vbscript>MsgBox(15266)</script>

Code like that is used to test websites for XSS vulnerabilities.

You should use server.htmlencode to filter your query parameters before you do anything else with them (like store them in a database or display them on screen).

Further reading :

John Slegers
  • 45,213
  • 22
  • 199
  • 169
  • Thanks, it's helpful. Actually Im looking for a server side Javascript solution. decodeURI() converted to Ascii. – A.R Jul 12 '17 at 11:43
  • What on earth are you trying to achieve?! – John Slegers Jul 12 '17 at 11:44
  • :) The script is generated by a scan application which ran against my web application to look for vulnerabilities – A.R Jul 12 '17 at 11:46
  • So I guess you want to protect yourself from [**cross-site scripting attacks**](http://resources.infosecinstitute.com/how-to-prevent-cross-site-scripting-attacks/#gref)? In that case, filtering out that one string won't do. You'll need a more holistic approach! – John Slegers Jul 12 '17 at 11:52
  • It's a classic ASP application. I cannot encode/decode requests everywhere. I have created a central filter which looks for any JS or CSS injections. The above mentioned scenario was not being caught in the filter. In most of the scenario filter catches any script injection attempts – A.R Jul 12 '17 at 11:55
  • Without knowing more about your application, I would think this issue needs to be solved on the ASP side. Why do you believe this is a JavaScript issue? – John Slegers Jul 12 '17 at 12:01
  • My code is on ASP side only. Im writing Server side Javascript. I know CSS issues cannot be done on client side. That's the reason I used decodeURI() instead of unescape() – A.R Jul 12 '17 at 12:03
  • So your ASP server is running Node.js scripts? Or what do you mean by "server side JavaScript"? And what libraries are you using to take care of the XSS filtering for you? Have you tried [**JS-XSS**](http://jsxss.com/en/index.html)? – John Slegers Jul 12 '17 at 12:10
  • No, it is not a NodeJS app. It's an old classic ASP application. No I have not tried the library. – A.R Jul 13 '17 at 05:52
  • So what do you mean with "server side JavaScript" then? If your JavaScript is supposed to run in a server environment based on eg. Node.js or [Rhino](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino), then it's server side JavaScript. If your JavaScript is supposed to run only in the browser, it's not server side JavaScript. Old classic ASP applications don't use server side JavaScript. They use traditional frontend JavaScript that may or may not be pre-processed by ASP. But as long as it is run only by the browser, it's not server side JavaScript! – John Slegers Jul 13 '17 at 07:58
  • Classic ASP can use VBscript or Javascript as scripting language. When Java Script is used as scripting language in classic ASP code it's called server side Java script. This kind of JS code does not run browser but rather it runs in IIS. – A.R Jul 14 '17 at 10:58
  • OK, I get it now... So, then, what about [**`Server.HTMLEncode`**](https://msdn.microsoft.com/en-us/library/ms525347(v=vs.90).aspx)? Have you tried that? Anyway, you might want to take a look at [**How To Prevent Cross-Site Scripting in ASP.NET**](https://msdn.microsoft.com/en-us/library/ms998274.aspx) – John Slegers Jul 14 '17 at 11:59
  • As I mentioned above that encoding of Requests is not possible everywhere. It's a big legacy application. So I came up with a filter that detects and filters any JS injections attempts. Thanks. – A.R Jul 17 '17 at 04:41