VBScript to Rule IE
SANS have published a report on VBScript malware and related things. The report was mentioned on ha.ckers.org which was followed by a small discussion on various ways of injecting VBScript, executing statements, etc.
Internet Explorer is still the most popular browser in the world.
In a few simple steps you can put several lines of VBScript code in a single line. For example, use the following URL in your Internet Explorer two show two
alert boxes (
MsgBox in VBScript).
vbscript:Execute(chr(77) & chr(115) & chr(103) & chr(66) & chr(111) & chr(120) & chr(40) & chr(34) & chr(66) & chr(108) & chr(97) & chr(34) & chr(41) & chr(13) & chr(10) & chr(77) & chr(115) & chr(103) & chr(66) & chr(111) & chr(120) & chr(40) & chr(34) & chr(66) & chr(108) & chr(97) & chr(34) & chr(41))
This is probably the safest way to do this although with the help of some URL encoding magic you can achieve similar result. Notice that each line is connected with
chr(13) & chr(10), which is the familiar LF CR sequence.
You cannot execute VBScript on about:blank in Internet Explorer 7. To test the expression, go to some random page and then place the code in your address bar.
Very often, web applications sanitize URLs that start with the keyword
vbscript: protocol you can bypass this restriction, which creates a XSS exploitable condition. This is one type of scenario and be sure that you can do a lot more then that. VBScript has access to DOM as well. For example, you can access Document.cookie and Document.location. You can do XML HTTP requests and do almost everything you can think of.
Long story short, it is important to know about VBScript and its capabilities because as long Internet Explorer supports it and you are planning to support Internet Explorer, you have to deal with it. Do not implement black listing XSS filters. They can all be bypassed with a few tricks. All I want to say is that VBSript is here to stay and it will be widely used to bypass secure XSS filters. Be aware of it, and be prepared.