How would someone execute a Perl script on a webpage?

Question

OWASP's XSS Filter Evasion Cheatsheet has a Perl script listed:

perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out

It also says this above it:

Null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy or use %00 in the URL string or if you want to write your own injection tool you can either use vim (^V^@ will produce a null) or the following program to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hypen control char). But the null char %00is much more useful and helped me bypass certain real world filters with a variation on this example:

Does this mean that you can't inject it straight into an input? Or do you have to use Burp Suite or some other tool?

Are you still talking about the perl script in last sentence, or generally about null byte techniques? — Eda190, May 25 '17 at 00:18
Explained here https://stackoverflow.com/questions/4888415/explain-this-xss-string-it-uses-perl — Eda190, May 25 '17 at 15:35

score 0 · Accepted Answer · answered May 27 '17 at 10:51

As stated on stackoverflow, the Perl script in this attack vendor serves as "launcher" of the attack, not as part of it. Important part in it is the null byte \0 part, which can theoretically fool the blacklist, as java\0script does not equal javascript. The %00 vendor you have specified is null byte too, however in URL encoded form. It will only work if you find website, that is has vulnerable part of the URL. Burp Proxy can however be used the same way like Perl script, but you're looking for the Hex value to change, rather than injecting \0.

How would someone execute a Perl script on a webpage?

1 Answers1