XSS (Cross Site Scripting)
最后更新于
这有帮助吗?
最后更新于
这有帮助吗?
Can you escape the tags of a HTML page, inside a .jsfile or inside an attribute using javascript: protocol:
If reflected between tags, even if your input if inside any kind of quotes, you can try to inject and escape from this context. This works because the browser will first parse the HTML tags and then the content, therefore, it won't notice that your injected tag is inside the HTML code.
If reflected inside a JS string and the last trick isn't working you would need to exit the string, execute your code and reconstruct the JS code (if there is any error, it won't be executed:
'-alert(1)-'
';-alert(1)//
\';alert(1)//
If reflected inside template literals `` you can embed JS expressions using ${ ... } syntax: `var greetings =Hello, ${alert(1)}```
DOM
There is JS code that is using unsafely some data controlled by an attacker like location.href . An attacker, could abuse this to execute arbitrary JS code.
WAF bypass encoding image
from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21
Injecting inside raw HTML
When your input is reflected inside the HTML page or you can escape and inject HTML code in this context the first thing you need to do if check if you can abuse < to create new tags: Just try to reflect that char and check if it's being HTML encoded or deleted of if it is reflected without changes. Only in the last case you will be able to exploit this case. For this cases also keep in mind Client Side Template Injection. Note: A HTML comment can be closed using --> or --!>
In this case and if no black/whitelisting is used, you could use payloads like:
But, if tags/attributes black/whitelisting is being used, you will need to brute-force which tags you can create. Once you have located which tags are allowed, you would need to brute-force attributes/events inside the found valid tags to see how you can attack the context.
Go to https://portswigger.net/web-security/cross-site-scripting/cheat-sheet and click on Copy tags to clipboard. Then, send all of them using Burp intruder and check if any tags wasn't discovered as malicious by the WAF. Once you have discovered which tags you can use, you can brute force all the events using the valid tags (in the same web page click on Copy events to clipboard and follow the same procedure as before).
If you didn't find any valid HTML tag, you could try to create a custom tag and and execute JS code with the onfocus attribute. In the XSS request, you need to end the URL with # to make the page focus on that object and execute the code:
Blacklist Bypasses
If some kind of blacklist is being used you could try to bypass it with some silly tricks:
Length bypass (XSS in 20chars)
Taken from the blog of Jorge Lajara.
The last one is using 2 unicode characters which expands to 5: telsr More of these characters can be found here. To check in which characters are decomposed check here. More tiny XSS payload can be found here.
Weird combinations
From https://netsec.expert/2020/02/01/xss-in-2020.html
Click XSS - Clickjacking
If in order to exploit the vulnerability you need the user to click a link or a form with prepopulated data you could try to abuse Clickjacking (if the page is vulnerable).
Impossible - Dangling Markup
If you just think that it's impossible to create an HTML tag with an attribute to execute JS code, you should check Danglig Markup because you could exploit the vulnerability without executing JS code.
Injecting inside HTML tag
Inside the tag/escaping from attribute value
If you are in inside a HTML tag, the first thing you could try is to escape from the tag and use some of the techniques mentioned in the previous section to execute JS code. If you cannot escape from the tag, you could create new attributes inside the tag to try to execute JS code, for example using some payload like (note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag):
Style events
Within the attribute
Even if you cannot escape from the attribute (" is being encoded or deleted), depending on which attribute your value is being reflected in if you control all the value or just a part you will be able to abuse it. For example, if you control an event like onclick= you will be able to make it execute arbitrary code when it's clicked. Another interesting example is the attribute href, where you can use the javascript: protocol to execute arbitrary code: href="javascript:alert(1)"
Bypass inside event using HTML encoding/URL encode
The HTML encoded characters inside the value of HTML tags attributes are decoded on runtime. Therefore something like the following will be valid (the payload is in bold): ';">Go Back
Note that any kind of HTML encode is valid:
Note that URL encode will also work:
Bypass inside event using Unicode encode
Bypass inside javascript:using HTML and URL encoding
Your input could also by reflected in HTML tags that accept the protocol javascript: like in these cases you can still alter the JS flow to execute arbitrary code. In this case the HTML encoding and the Unicode encoding trick from the previous section is also valid as you are inside an attribute. Moreover, there is another nice trick for these cases: Even if your input inside javascript:... is being URL encoded, it will be URL decoded before it's executed. So, if you need to escape from the string using a single quote and you see that it's being URL encoded, remember that it doesn't matter, it will be interpreted as a single quote during the execution time. Note the javascript: protocol can be used in any tag that accepts the attribute href and in most of the tags that accepts the attribute src (but not )
Note that if you try to use both URLencode + HTMLencode in any order to encode the payload it won't work, but you can mix them inside the payload.
You can use Hex and Octal encode inside the src attribute of iframe (at least) to declare HTML tags to execute JS:
Using data encoding
From here: You can execute an XSS payload inside a hidden attribute, provided you can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X. You can specify a different key combination using a different key in the access key attribute. Here is the vector:
The XSS payload will be something like this: " accesskey="x" onclick="alert(1)" x="
Blacklist Bypasses
Several tricks with using different encoding were exposed already inside this section. Go back to learn where can you use HTML encoding, Unicode encoding, URL encoding, Hex and Octal encoding and even data encoding.
Bypasses for HTML tags and attributes
Read the Blacklist Bypasses of the previous section.
Bypasses for JavaScript code
Read the JavaScript bypass blacklist of the following section.
Injecting inside JavaScript code
In these case you input is going to be reflected inside the JS code of a .js file or between tags or between HTML events that can execute JS code or between attributes that accepts the javascript: protocol.
Escaping you could easily escape closing the <script>eval('\\u'+'0061'+'lert(1)')script><<script ~~~>\u0061lert(1)script ~~~>style>scRipt><scRipt>alert(1)scRipt><img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)><svg><x><script>alert('1')x>
