Web Application Security Forum - XSS Info

XSS in hidden Field (no replies)

kamal — Tue, 26 Feb 2013 13:48:29 -0600

Hi,

is it possible to have an exploit here?

INPUT is user input
<,>,(,) are encoded

I know we can exploit using style tag.. but the problem is I can't use (,) symbols... so is there anyway to bypass it.

regards

XSS Challenge (no replies)

lucasnn — Fri, 08 Feb 2013 00:46:12 -0600

Hey folks,

I am new here. Is nice to meet you guys.

I am with a challenge, but I could not solve it. I need bypass a regex to execute javascript inside eval.

The code is:

function json(a){
if (/^\s*$/.test(a) ? 0 : /^[\],:{}\s\u2028\u2029]*$/
.test(a.replace(/\\["\\\/bfnrtu]/g, "@")
.replace(/"[^"\\\n\r\u2028\u2029\x00-\x08\x0a-\x1f]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")
.replace(/(?:^|:|,)(?:[\s\u2028\u2029]*\[)+/g, "")))

try{
return eval("(" + a + ")")
} catch (b) {}
g(Error("Invalid JSON string: " + a))
}
//...
json(window.name);

This ("true);alert(9);//" is very close to a valid javascript statement and will bypass this regex, but still is invalid. The problem? The quote. =(

Any ideas?

Cross Site Scripting Tunneling (no replies)

Sr.Gr33n — Sun, 27 Jan 2013 11:44:16 -0600

I haven't found anything about this kind of attacks in the forum so I wan't to post some information abaut XSS Tunneling.

~> What's a XSS tunnel?

Ok, XSST is a HTTP connection that you can stablish with a victim trhow a XSS usually attack.

~> What offers this attack?

This kind of attacks offers you a shell based on JS and allows you to execute some commands in victim's PC but the best of it is that you can configure victim's browser so as to reconnect whit your machine every time it starts.

More info ~~~> labs[dot]portcullis[dot]co[dot]uk/application/xss-tunnelling/

There is a paper in the web very easy so as to understand it.

Gr33tings!

How to use these XSS jnection vectors? (3 replies)

rickm — Sat, 24 Nov 2012 06:01:23 -0600

Hi all

I'm dedicated in learn XSS, I understand the basic and I'm learning everyday more and more - thanks to this great forum and all you guys.

Most of my tests are with FireFox 16.0.2 and this vulnerable test site (it's a site created intentionally to be vulnerable and test web issues):

http://demo.testfire.net/search.aspx?txtSearch=

However, if you prefer any other to give me an working example not problem. :)

During these days I have collected a set of XSS payloads that are very interesting, however I'm unable to reproduce them and make the so wanted alert box appear. Can you please take a look at them and let me know why they are not working on my target test site?

Case #01:

/./iiin({}) // Chrome only

Ref.: http://sla.ckers.org/forum/read.php?2,29090,page=12

I tested with last version of Chrome and it doesn't work. Is it really possible to generate an alert box? Or is it just an test that do not produce anything useful?

Case #02:

“”

Ref.: http://www.thespanner.co.uk/2007/10/01/xss-attacks-a-practical-example/

I tested with last version of Chrome and my Firefox and it doesn't work. Can someone point me what's wrong? Also, is there an special way to encode it to make it work?

I tried it like these without success:

http://demo.testfire.net/search.aspx?txtSearch=“”

http://demo.testfire.net/search.aspx?txtSearch=“>”

http://demo.testfire.net/search.aspx?txtSearch=%E2%80%9C%3CMETA%20HTTP-EQUIV%3D%C3%A2%E2%82%AC%C2%9DLink%C3%A2%E2%82%AC%C2%9D%20Content%3D%C3%A2%E2%82%AC%C2%9D%3Chttp%3A%2F%2Fha.ckers.org%2Fxss.css%26gt%3B%3B%20REL%3Dstylesheet%C3%A2%E2%82%AC%C2%9D%3E%E2%80%9D

Case #03:

I have seen many of these crazy payloads:

([],[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])()[([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![])+(+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])]+([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![])+(+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])]+([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![])+(+!![]+!![]+!![]+!![]+[])]+(![]+[])[+!![]+!![]]]('alert(1)')

OR

+[+[+[]==+[]][+[]]+[[[]+[][+[]]][+[]][+[+[]==+[]][+[]]+[+[]==+[]][+[]]+[+[]==+[]][+[]]]+[]+[+[+[]==+[]][+[]]]+[+[+[]==+[]][+[]]]+[+[+[]==+[]][+[]]]+[+[+[]==+[]][+[]]]]]

However it doesn't work - I'm pretty sure that I'm missing something to make it works. I tested on last version of Chrome and Firefox on the test site with encoding, adding , right?

Case #04:

Another very weird XSS payload, never worked in my tests with the environment previouus described.

<@uni>b=<@/uni>/\u/<@uni>[-1]<@/uni><@uni>z=<@/uni>/00/<@uni>[-1]<@/uni><@uni>c=<@/uni>/c/<@uni>[-1]<@/uni><@uni>e=0[<@/uni>'<@hex>ev<@/hex><@oct>al<@/oct>'<@uni>](<@/uni>'<@oct>b+z+61+b+z+6+c+b+z+65+b+z+72+b+z+74+b+z+28+b+z+31+b+z+29<@/oct>'<@uni>)<@/uni><@uni>0[<@/uni>'<@oct>ev<@/oct><@hex>al<@/hex>'<@uni>](e)<@/uni>

Is is real? Someone got it working? How? Can you please give me an example?

Case #05:

These payloads where you are in theory able to change the conten-type and define it as UTF-7 and inject this payloads with unicode or even non-alpha. Some payloads that I found use before meta tag, however, none of them work. I tried URL-encode, inject

http://localhost/

but, I can't obtain js execution.. is there any way to let the browser render the html/execute the payload before performing the redirection ?

Thanks

Evading some input filters (of ' and ") in Firefox (no replies)

Gryphus — Wed, 12 Sep 2012 03:36:23 -0500

Hi!

Testing an application that had filtered the quotes ' and ", but not < and >, I found that in Firefox you can close the

Imagine that is not possible to inject a quote because is filtered, but the characters < and > are not filtered in any way, then you can inject the following:

p1

having something like this:

';

In this case, Firefox closes the first -->*/alert(1)/*

XSS via child document? (1 reply)

cr101 — Sun, 12 Aug 2012 13:31:28 -0500

I can embed an iframe in a website, but I can't point it to anything along the lines of "javascript:alert(1)". Is there a page I can build that can run javascript in the context of the parent document? SOP prevents me from directly accessing things like parent.document. Any ideas?

XSS + FF/Chrome + plain/text (1 reply)

choronzon — Tue, 17 Jul 2012 05:22:15 -0500

Hello,

I have and xss like this:

POST /...
Host: server
...

par=

HTTP/1.1 200 OK
...
Content-Type: text/plain; charset=UTF-8
...

{"par":""}

client-side code execution can be obtained with IE, but I need a working vector for FF or Chrome. Any suggestions?

Thanks,
c.

10 new private xss detected on msn sub domain (no replies)

Vaibs — Mon, 25 Jun 2012 11:16:32 -0500

POC

http://vaibs.comuv.com/5.jpg
http://vaibs.comuv.com/6.jpg
http://vaibs.comuv.com/7.jpg
http://vaibs.comuv.com/8.jpg
http://vaibs.comuv.com/9.jpg
http://vaibs.comuv.com/10.jpg
http://vaibs.comuv.com/11.jpg
http://vaibs.comuv.com/12.jpg
http://vaibs.comuv.com/13.jpg
http://vaibs.comuv.com/14.jpg

Does anyone know of any good XSS backdoors? (no replies)

cookiesui — Sun, 24 Jun 2012 22:29:35 -0500

Besides that well-known one written in ASP.

JavaScript via CSS (9 replies)

Jean Pascal Pereira — Sun, 01 Jul 2012 16:11:29 -0500

Hello,

are there still possibilities to execute JavaScript via stylesheets?

The common methods like expression or moz-binding are not working in modern web browsers. It seems that Mozilla completely removed the -moz-binding functionality.

Regards

How about this solution for cross domain set cookie? (3 replies)

joel — Fri, 25 May 2012 20:50:08 -0500

There are 2 domain using the same cookie pair(uid & sid) for authenticate user:
www.logger.com
www.logspot.com

uid was to identify a user, and sid was to authenticate him.

Suppose most of the user will login via www.logger.com, and the browser will set the cookie:
Set-Cookie: uid=15732; PATH=/; DOMAIN=logger.com;
Set-Cookie: sid=FupX5px7X; PATH=/; DOMAIN=logger.com;

And when the user click a hyper link in www.logger.com to jump to www.logspot.com/index.html, I don't want that user input his uid and password again.

I wrote a script which place in www.logger.com (http://www.logger.com/get_sid.php):
header("Content-Type: application/x-javascript");

if (isset($_COOKIE["uid"]) && isset($_COOKIE["sid"])) {
echo "document.cookie = 'uid=" . $_COOKIE["uid"] . "; path=/; domain=logspot.com;';\n";
echo "document.cookie = 'sid=" . $_COOKIE["sid"] . "; path=/; domain=logspot.com;';\n";
} else {
echo "void(0);";
}
?>

And then, I put this script inside www.logspot.com/index.html:

I've looked at the HTTP requests in burp and they appear to be identical, except that the local one is missing the Referer header since it's cross-protocol.

I've tried changing the doctype & turning quirks mode on and off to to avail. Any ideas?

Bypassing Chrome XSS filter + Apache mod_security? (4 replies)

serpentine85 — Thu, 05 Apr 2012 17:19:30 -0500

The site I found an XSS on appears to be using mod_security. Anything with "

seems to bypass mod_security, but Chrome strips onerror and all other on attributes.

Both these filters are definitely vulnerable, but I don't know how to make something that'll bypass both.

I control the attribute of an , and there's no escaping or filtering done by the web app itself. So "> does break me out. I only control that one variable though.

Any ideas?

Thanks.

Can anyone tell me something about ]]> XSS ? (no replies)

neuf.martial — Mon, 02 Apr 2012 08:10:09 -0500

Hi,

Can anyone tell me something about ]]> XSS vulnerability?

please have a look at the following link.

https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)

It tells something about CDATA section delimiters:

Can anyone elaborate that, with examples?

Also is it associated with .xhtml pages? Is it required to handle CDATA "]]>" character for XSS in .html application?

Regards,
Dinesh

Are the following characters XSS vulnerable? (3 replies)

neuf.martial — Mon, 18 Jun 2012 20:19:41 -0500

Hi,
We are trying to implement security in our application, wherein we need to encode and decode the user inputs.

So can anybody please provide me a list of all the characters that are disallowed or dangerous, that I need to encode?

For eg. for "<" character we use <, for ">" character we use >

so can anybody please tell me if the following mentioned characters are XSS vulnerable, and if yes, then how to encode them?

1) ! - exclamation mark - characters for additional command execution

2) - hyphen - can be used in database queries, and the creation of negative numbers.

3) /\ = The forward-slash and back-slash are often used for faking paths and queries

4) { } [ ] = Curly brackets and square brackets are often used as script, program or regex expressions.

5) *(asterisk) = Often used in database queries for “all”.

eg.

6) `(Grave accent) = If you need to use both double and single quotes you can use a grave accent(`) to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents.

7) / (division or forward slash) -

8) Bitwise “xor” operator: (^)

9) Bitwise Left Shift (<<)

10) Bitwise Right Shift (>>)

11) Bitwise Right Shift With Zeros

12) Ternary Conditional Expression

Please let me know if I need to encode these characters too. I am using Java for development.

Thanks

Found 8 Xss on baidu.com but who cares.:P (5 replies)

Vaibs — Tue, 25 Dec 2012 23:33:04 -0600

http://vaibs.comuv.com/baidu%20xss.jpg

Who knows chinese or what ever can find that page.
Let see

XSS double quotes filter bypass (5 replies)

Pr3nK — Wed, 14 Mar 2012 04:19:11 -0500

Hi guys, is there any any method which let you to bypass double quotes encoding to \" in order to close the value tags? I don't need the String.fromCharCode() function, and there isn't any variable which saves the searched value...
The code looks like:

Any help please?

IE blocks accessing document object in flash file (no replies)

behnaz — Sun, 11 Mar 2012 10:15:09 -0500

In my flash application I need to get browser cookie. Internet Explorer don't allow flash to access document object. I want to know what is the problem does it relate to Internet Explorer xss filter? I have test my application with xss filter option disalbed in IE but again no result. This simple code works well in all browsers(Firefox, Chrome, Opera) but don't work in Internet Explorer, anybody know why?
Thanks.

don't work:
ExternalInterface.call("eval","alert(document.cookie)");
ExternalInterface.call("eval","alert(document.location)");

but this work well:
ExternalInterface.call("eval","alert(window.location)");

Close but no cigar, help for the final hurdle? (2 replies)

thegreatescape — Sun, 04 Mar 2012 14:12:47 -0600

'"(){}/\<> - test chars

Results in source:

and bit further down:

Can't think of any input type xss which doesn't use ' " ', can anyone help?

Closest I have got:

[but no alert]

[using Firefox, but any browser would be a help]

TheGreatEscape