WEB HACKING XXN Attack(X-XSS-Nightmare):: R-XSS Bypass Browser XSS Filter HAHWUL(하훌) / 1/07/2016 작년 말 이 재미있는 XXN 공격에 대해 듣게되고 분석을 해보았었고 이제서야 글로 작성하게 되네요.
I'm trying to bypass some XSS filtering. Every time I insert a single quote I get a backslash, so I wrote this payload:
In the source code it looks like this:
but I still can't get an alert box. What is wrong?
S.L. Barth2 Answers
It is impossible to know for sure without seeing the code that the server runs, but we can make some educated guesses:
Looks like there is a template looking something like this:
You say
'
gets replaced by'
.- From your example, it seems that
'
being unaffected is an exception to the above rule (probably to prevent the very attack you were trying). This is a bit surprising - the normal thing to do would be to replace thewith
, so you would get
'
. - There might be multiple other defences built in that you just haven't noticed yet because you haven't managed to bypass the first.
It is important to understand the context you want to escape from. In this case it is a JavaScript string literal (or Rule #3 in the OWASP cheat sheet). To get out of it, you have two options:
Switch to a general JavaScript context. I think this can only be done by getting an unescaped
'
in there. If'
is always unaffected no matter context, try'
. If you are lucky, nothing is done about the first backslash. While you are at it, try different numbers of backslashes, just in case.End the script block to get into an HTML context. Try something like this:
Most likely the
<
will be escaped to<
, but it is worth a try.
See also this related question.
Bypass escaped double quote
Based on your description this should work:
');alert('xss
The ' will be escaped as ', thus resulting in ', which escapes the , but not the '.
To prevent this, you would at the very least have to also escape as .
Bypass escaped double quote and double backslash to single backslash
Based on your comment, I'm assuming the actual relevant parts of the filtering work like this:
This isn't secure either. An injection might look like this:
');alert(1
' will be escaped as ' in step 1 which leads us to ', which is then transformed to ' in step 2. You can't use double quotes in the injected string, but that's not a problem as XSS with single quotes or completely without quotes is perfectly possibly.
To secure this the double backslash would need to be escaped, not transformed to a single one, which would give us ' with the above described injection, which is safe.
Not the answer you're looking for? Browse other questions tagged web-applicationxssjavascript or ask your own question.
Say I want to maliciously call a function which is already defined, myfunc().
How could I achieve xss attack bypassing double quote and angle brackets escaping?
(The upper case fields are user inputs)How could I call myfunc() without adding the script tags around it?
3 Answers
(Un)fortunately it appears that XSS won't be possible in this instance.
If angle brackets and double quote characters are escaped, this is enough to prevent XSS in HTML body and double quoted entity value contexts.
Technically under the XSS Experimental Minimal Encoding Rules for HTML body, the &
character should be encoded too, but I can't see a way here to use that to the attacker's advantage either in the HTML body or within the entity value.
The only exception to this is if the character set was specified as UTF-7 (or as the attacker you could change it to such) then you could use the following attack:
this would be rendered as
SilverlightFoxSilverlightFoxYou can try these injections
which will try to call the myfunc javascript function since it will fail to load the image named X
Try this injection: <a href='javascript:myFunc();'>
;when someone clicks on the link, the code gets run.If you want to pass string parameters, use slashes (like /string/ vs 'string')