XSS (Cross Site Scripting) Cheat Sheet
Esp: for filter evasion
By
RSnake
Note from the author: XSS is Cross Site Scripting. If you don't knowhow XSS (Cross Site Scripting) works, this page probably won't helpyou. This page is for people who already understand the basics of XSSattacks but want a deep understanding of the nuances
regarding filterevasion. This page will also not show you how to mitigate XSS vectorsor how to write the actual cookie/credential stealing/replay/sessionriding portion of the attack. It will simply show the underlyingmethodology and you can infer the rest.
Also, please note my XSS pagehas been replicated by the
OWASP 2.0 Guidein the Appendix section with my permission. However, because this is aliving document I suggest you continue to use this site to stay up todate.
Also, please note that most of these cross site scriptingvectors have been tested in the browsers listed at the bottom of thepage, however, if you have specific concerns about outdated or obscureversions please download them fromEvolt.
Please see the
XML format of the XSS Cheat Sheet if you intend to use
CAL9000or other automated tools. If you have an RSS reader feel free tosubscribe to the Web Application Security RSS feed below, or join theforum:
XSS (Cross Site Scripting):
XSS locator. Inject this string, and in mostcases where a script is vulnerable with no special XSS vectorrequirements the word "XSS" will pop up. Use theURL
encoding calculatorbelow to encode the entire string. Tip: if you're in a rush and need toquickly check a page, often times injecting the depreciated"<PLAINTEXT>" tag will be enough to check to see if something isvulnerable to XSS by messing up the output
appreciably:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
XSS locator 2. If you don't have much spaceand know there is no vulnerable JavaScript on the page, this string isa nice compact XSS injection check. View source after injecting it andlook for <XSS verses
<XSS to see if it is vulnerable:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
No filter evasion. This is a normalXSS JavaScript injection, and most likely to get caught but I suggesttrying it first (the quotes are not required in any modern browser sothey are omitted
here):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Image XSS using the JavaScript directive(IE7.0 doesn't support the JavaScript directive in context of an image,but it does in other contexts, but the following show the principlesthat would work in
other tags as well - I'll probably revise this at alater date):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
No quotes and no semicolon:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Case insensitive XSS attack vector:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
HTML entities (the semicolons are required for this to work):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Grave accent obfuscation (If you needto use both double and single quotes you can use a grave accent toencapsulate the JavaScript string - this is also useful because lots ofcross site scripting
filters don't know about grave accents):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Malformed IMG tags. Originally found byBegeek(but cleaned up
and shortened to work in all browsers), this XSS vectoruses the relaxed rendering engine to create our XSS vector within anIMG tag that should be encapsulated within quotes. I assume this wasoriginally meant to correct sloppy coding. This would make itsignificantly
more difficult to correctly parse apart an HTML tag:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
fromCharCode (if no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need). Clickhere
to build your own (thanks to Hannes Leopold):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
UTF-8 Unicode encoding (all of the XSSexamples that use a javascript: directive inside of an <IMG tag willnot work in Firefox or Netscape 8.1+ in the Gecko rendering enginemode). Use theXSS
calculator for more information:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Long UTF-8 Unicode encodingwithout semicolons (this is often effective in XSS that attempts tolook for "&#XX;", since most people don't know about padding - upto 7 numeric characters total).
This is also useful against people whodecode against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/;which incorrectly assumes a semicolon is required to terminate a htmlencoded string (I've seen this in the wild):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Hex encoding without semicolons (this isalso a viable XSS attack against the above string $tmp_string =~s/.*\&#(\d+);.*/$1/; which assumes that there is a numericcharacter following the pound symbol
- which is not true with hex HTMLcharacters). Use the
XSS calculator for more information:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Embedded tab to break up the cross site scripting attack:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Embedded encoded tab to break up XSS:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Embeded newline to break up XSS. Somewebsites claim that any of the chars 09-13 (decimal) will work for thisattack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and13 (carriage return)
work. See the
ascii chart for more details. The following four XSS examples illustrate this vector:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Embedded carriage return tobreak up XSS (Note: with the above I am making these strings longerthan they have to be because the zeros could be omitted. Often I'veseen filters that assume
the hex and dec encoding has to be two orthree characters. The real rule is 1-7 characters.):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Multiline Injected JavaScript using ASCIIcarriage returns (same as above only a more extreme example of this XSSvector) these are not spaces just one of the three characters asdescribed above:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Null breaks up JavaScript directive. Okay, Ilied, null chars also work as XSS vectors but not like above, you needto inject them directly using something likeBurp
Proxy or use %00 in the URL string or if you want to write your own injection tool you can either usevim(^V^@ will produce a null) or the following program to generate it intoa text file.
Okay, I lied again, older versions of Opera (circa 7.11 onWindows) were vulnerable to one additional char 173 (the soft hypencontrol char). But the null char %00 is much more useful and helped mebypass certain real world filters with a variation on this example:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Null breaks up cross site scripting vector.Here is a little known XSS attack vector using null characters. You canactually break up the HTML itself using the same nulls as shown above.I've seen this vector
bypass some of the most restrictive XSS filtersto date:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Spaces and meta chars before theJavaScript in images for XSS (this is useful if the pattern matchdoesn't take into account spaces in the word "javascript:" -which iscorrect since that won't
render- and makes the false assumption thatyou can't have a space between the quote and the "javascript:" keyword.The actual reality is you can have any char from 1-32 in decimal):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Non-alpha-non-digit XSS. While Iwas reading the Firefox HTML parser I found that it assumes anon-alpha-non-digit is not valid after an HTML keyword and thereforconsiders it to be a whitespace
or non-valid token after an HTML tag.The problem is that some XSS filters assume that the tag they arelooking for is broken up by whitespace. For example "<SCRIPT\s" !="<SCRIPT/XSS\s":
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Non-alpha-non-digit part 2 XSS.yawnmoth brought my attention to this vector, based on the same idea asabove, however, I expanded on it, using my fuzzer. The Gecko renderingengine allows
for any character other than letters, numbers orencapsulation chars (like quotes, angle brackets, etc...) between theevent handler and the equals sign, making it easier to bypass crosssite scripting blocks. Note that this also applies to the grave accentchar
as seen here:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Non-alpha-non-digit part 3 XSS.Yair Amitbrought this to my attention that there is slightly different behaviorbetween
the IE and Gecko rendering engines that allows just a slashbetween the tag and the parameter with no spaces. This could be usefulif the system does not allow spaces.
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Extraneous open brackets.Submitted by Franz Sedlmaier, this XSS vector could defeat certaindetection engines that work by first using matching pairs of open andclose angle brackets and
then by doing a comparison of the tag inside,instead of a more efficient algorythm like
Boyer-Moorethat looks for entire string matches of the open angle bracket andassociated tag (post de-obfuscation, of course). The double slashcomments out the ending extraneous bracket to supress a JavaScripterror:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
No closing script tags. InFirefox and Netscape 8.1 in the Gecko rendering engine mode you don'tactually need the "></SCRIPT>" portion of this Cross SiteScripting vector. Firefox assumes
it's safe to close the HTML tag andadd closing tags for you. How thoughtful! Unlike the next one, whichdoesn't effect Firefox, this does not require any additional HTML belowit. You can add quotes if you need to, but they're not neededgenerally, although beware,
I have no idea what the HTML will end uplooking like once this is injected:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Protocol resolution in script tags. This particular variant was submitted byŁukasz Pilorzand was based partially off of
Ozh's protocol resolution bypass below.This cross site scripting example works in IE, Netscape in IE renderingmode and Opera if you add in a </SCRIPT> tag at the end. However,this is especially useful where space is an issue, and of course, theshorter your
domain, the better. The ".j" is valid, regardless of theencoding type because the browser knows it in context of a SCRIPT tag.
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Half open HTML/JavaScript XSS vector.Unlike Firefox the IE rendering engine doesn't add extra data to yourpage, but it does allow the javascript: directive in images. This isuseful as a vector because
it doesn't require a close angle bracket.This assumes there is any HTML tag below where you are injecting thiscross site scripting vector. Even though there is no close ">" tagthe tags below it will close it. A note: this does mess up the HTML,depending on
what HTML is beneath it. It gets around
the following NIDS regex:/((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>)/ because it doesn'trequire the end ">". As a side note, this was also affective againsta real world XSS filter I came across using an open ended <IFRAMEtag instead of an <IMG tag:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Double open angle brackets. This is an odd one thatSteven Christeybrought to my attention. At first I misclassified this as the
same XSSvector as above but it's surprisingly different. Using an open anglebracket at the end of the vector instead of a close angle bracketcauses different behavior in Netscape Gecko rendering. Without it,Firefox will work but Netscape won't:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
XSS with no single quotes or double quotes or semicolons:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Escaping JavaScript escapes. Whenthe application is written to output some user information inside of aJavaScript like the following: <SCRIPT>vara="$ENV{QUERY_STRING}";</SCRIPT> and you want
to inject your ownJavaScript into it but the server side application escapes certainquotes you can circumvent that by escaping their escape character. Whenthis is gets injected it will read <SCRIPT>vara="\\";alert('XSS');//";</SCRIPT> which ends up un-escaping
thedouble quote and causing the Cross Site Scripting vector to fire. The
XSS locator uses this method.:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
End title tag. This is a simple XSS vector that closes <TITLE> tags, which can encapsulate the malicious cross site scripting attack:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
INPUT image:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
BODY image:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
BODY tag (I like this method because itdoesn't require using any variants of "javascript:" or "<SCRIPT..."to accomplish the XSS attack).Dan
Crowley additionally noted that you can put a space before the equals sign ("οnlοad=" != "onload ="):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Event Handlers that can be used insimilar XSS attacks to the one above (this is the most comprehensivelist on the net, at the time of this writing). Please note I haveexcluded browser support
from this section because each one may havedifferent results in different browsers. Thanks to
Rene Ledosquet for the HTML+TIME updates:
<textarea cols="45" rows="3">1. FSCommand() (attacker can use this when
executed from within an embedded Flash object)
2. onAbort() (when user aborts the loading of an image)
3. onActivate() (when object is set as the active element)
4. onAfterPrint() (activates after user prints or previews print job)
5. onAfterUpdate() (activates on data object after updating data in the
source object)
6. onBeforeActivate() (fires before the object is set as the active
element)
7. onBeforeCopy() (attacker executes the attack string right before a
selection is copied to the clipboard - attackers can do this with the
execCommand("Copy") function)
8. onBeforeCut() (attacker executes the attack string right before a
selection is cut)
9. onBeforeDeactivate() (fires right after the activeElement is changed
from the current object)
10. onBeforeEditFocus() (Fires before an object contained in an
editable element enters a UI-activated state or when an editable
container object is control selected)
11. onBeforePaste() (user needs to be tricked into pasting or be forced
into it using the execCommand("Paste") function)
12. onBeforePrint() (user would need to be tricked into printing or
attacker could use the print() or execCommand("Print") function).
13. onBeforeUnload() (user would need to be tricked into closing the
browser - attacker cannot unload windows unless it was spawned from the
parent)
14. onBegin() (the onbegin event fires immediately when the element's
timeline begins)
15. onBlur() (in the case where another popup is loaded and window
looses focus)
16. onBounce() (fires when the behavior property of the marquee object
is set to "alternate" and the contents of the marquee reach one side of
the window)
17. onCellChange() (fires when data changes in the data provider)
18. onChange() (select, text, or TEXTAREA field loses focus and its
value has been modified)
19. onClick() (someone clicks on a form)
20. onContextMenu() (user would need to right click on attack area)
21. onControlSelect() (fires when the user is about to make a control
selection of the object)
22. onCopy() (user needs to copy something or it can be exploited using
the execCommand("Copy") command)
23. onCut() (user needs to copy something or it can be exploited using
the execCommand("Cut") command)
24. onDataAvailable() (user would need to change data in an element, or
attacker could perform the same function)
25. onDataSetChanged() (fires when the data set exposed by a data
source object changes)
26. onDataSetComplete() (fires to indicate that all data is available
from the data source object)
27. onDblClick() (user double-clicks a form element or a link)
28. onDeactivate() (fires when the activeElement is changed from the
current object to another object in the parent document)
29. onDrag() (requires that the user drags an object)
30. onDragEnd() (requires that the user drags an object)
31. onDragLeave() (requires that the user drags an object off a valid
location)
32. onDragEnter() (requires that the user drags an object into a valid
location)
33. onDragOver() (requires that the user drags an object into a valid
location)
34. onDragDrop() (user drops an object (e.g. file) onto the browser
window)
35. onDrop() (user drops an object (e.g. file) onto the browser window)
36. onEnd() (the onEnd event fires when the timeline ends. This can be
exploited, like most of the HTML+TIME event handlers by doing something
like <P STYLE="behavior:url('#default#time2')"
onEnd="alert('XSS')">)
37. onError() (loading of a document or image causes an error)
38. onErrorUpdate() (fires on a databound object when an error occurs
while updating the associated data in the data source object)
39. onFilterChange() (fires when a visual filter completes state
change)
40. onFinish() (attacker can create the exploit when marquee is
finished looping)
41. onFocus() (attacker executes the attack string when the window gets
focus)
42. onFocusIn() (attacker executes the attack string when window gets
focus)
43. onFocusOut() (attacker executes the attack string when window
looses focus)
44. onHelp() (attacker executes the attack string when users hits F1
while the window is in focus)
45. onKeyDown() (user depresses a key)
46. onKeyPress() (user presses or holds down a key)
47. onKeyUp() (user releases a key)
48. onLayoutComplete() (user would have to print or print preview)
49. onLoad() (attacker executes the attack string after the window
loads)
50. onLoseCapture() (can be exploited by the releaseCapture() method)
51. onMediaComplete() (When a streaming media file is used, this event
could fire before the file starts playing)
52. onMediaError() (User opens a page in the browser that contains a
media file, and the event fires when there is a problem)
53. onMouseDown() (the attacker would need to get the user to click on
an image)
54. onMouseEnter() (cursor moves over an object or area)
55. onMouseLeave() (the attacker would need to get the user to mouse
over an image or table and then off again)
56. onMouseMove() (the attacker would need to get the user to mouse
over an image or table)
57. onMouseOut() (the attacker would need to get the user to mouse over
an image or table and then off again)
58. onMouseOver() (cursor moves over an object or area)
59. onMouseUp() (the attacker would need to get the user to click on an
image)
60. onMouseWheel() (the attacker would need to get the user to use
their mouse wheel)
61. onMove() (user or attacker would move the page)
62. onMoveEnd() (user or attacker would move the page)
63. onMoveStart() (user or attacker would move the page)
64. onOutOfSync() (interrupt the element's ability to play its media as
defined by the timeline)
65. onPaste() (user would need to paste or attacker could use the
execCommand("Paste") function)
66. onPause() (the onpause event fires on every element that is active
when the timeline pauses, including the body element)
67. onProgress() (attacker would use this as a flash movie was loading)
68. onPropertyChange() (user or attacker would need to change an
element property)
69. onReadyStateChange() (user or attacker would need to change an
element property)
70. onRepeat() (the event fires once for each repetition of the
timeline, excluding the first full cycle)
71. onReset() (user or attacker resets a form)
72. onResize() (user would resize the window; attacker could auto
initialize with something like:
<SCRIPT>self.resizeTo(500,400);</SCRIPT>)
73. onResizeEnd() (user would resize the window; attacker could auto
initialize with something like:
<SCRIPT>self.resizeTo(500,400);</SCRIPT>)
74. onResizeStart() (user would resize the window; attacker could auto
initialize with something like:
<SCRIPT>self.resizeTo(500,400);</SCRIPT>)
75. onResume() (the onresume event fires on every element that becomes
active when the timeline resumes, including the body element)
76. onReverse() (if the element has a repeatCount greater than one,
this event fires every time the timeline begins to play backward)
77. onRowsEnter() (user or attacker would need to change a row in a
data source)
78. onRowExit() (user or attacker would need to change a row in a data
source)
79. onRowDelete() (user or attacker would need to delete a row in a
data source)
80. onRowInserted() (user or attacker would need to insert a row in a
data source)
81. onScroll() (user would need to scroll, or attacker could use the
scrollBy() function)
82. onSeek() (the onreverse event fires when the timeline is set to
play in any direction other than forward)
83. onSelect() (user needs to select some text - attacker could auto
initialize with something like:
window.document.execCommand("SelectAll");)
84. onSelectionChange() (user needs to select some text - attacker
could auto initialize with something like:
window.document.execCommand("SelectAll");)
85. onSelectStart() (user needs to select some text - attacker could
auto initialize with something like:
window.document.execCommand("SelectAll");)
86. onStart() (fires at the beginning of each marquee loop)
87. onStop() (user would need to press the stop button or leave the
webpage)
88. onSyncRestored() (user interrupts the element's ability to play its
media as defined by the timeline to fire)
89. onSubmit() (requires attacker or user submits a form)
90. onTimeError() (user or attacker sets a time property, such as dur,
to an invalid value)
91. onTrackChange() (user or attacker changes track in a playList)
92. onUnload() (as the user clicks any link or presses the back button
or attacker forces a click)
93. onURLFlip() (this event fires when an Advanced Streaming Format
(ASF) file, played by a HTML+TIME (Timed Interactive Multimedia
Extensions) media tag, processes script commands embedded in the ASF
file)
94. seekSegmentTime() (this is a method that locates the specified
point on the element's segment time line and begins playing from that
point. The segment consists of one repetition of the time line
including reverse play using the AUTOREVERSE attribute.)
</textarea>
IMG Dynsrc:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
IMG lowsrc:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
BGSOUND:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
& JavaScript includes (works in Netscape 4.x):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]
LAYER (also only works in Netscape 4.x)
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]
STYLE sheet:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Remote style sheet (usingsomething as simple as a remote style sheet you can include your XSS asthe style parameter can be redefined using an embedded expression.)This only works in IE and
Netscape 8.1+ in IE rendering engine mode.Notice that there is nothing on the page to show that there is includedJavaScript. Note: With all of these remote style sheet examples theyuse the body tag, so it won't work unless there is some content on thepage
other than the vector itself, so you'll need to add a singleletter to the page to make it work if it's an otherwise blank page:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Remote style sheet part 2(this works the same as above, but uses a <STYLE> tag instead ofa <LINK> tag). A slight variation on this vector was used tohack
Google Desktop.As a side note, you can remove the end </STYLE> tag if there isHTML immediately after the vector to close it. This is useful if youcannot have either an equals sign or a slash in your cross sitescripting attack, which has come up at least
once in the real world:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Remote style sheet part 3. This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky. According toRFC2616setting
a link header is not part of the HTTP1.1 spec, however somebrowsers still allow it (like Firefox and Opera). The trick here isthat I am setting a header (which is basically no different than in theHTTP header saying Link: <http://ha.ckers.org/xss.css>;REL=stylesheet)
and the remote style sheet with my cross site scriptingvector is running the JavaScript, which is not supported in FireFox:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Remote style sheet part 4.This only works in Gecko rendering engines and works by binding an XULfile to the parent page. I think the irony here is that Netscapeassumes that Gecko is
safer and therefor is vulnerable to this for thevast majority of sites:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Local htc file. This is a littledifferent than the above two cross site scripting vectors because ituses an .htc file which must be on the same server as the XSS vector.The example file works
by pulling in the JavaScript and running it aspart of the style attribute:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
List-style-image. Fairly esotericissue dealing with embedding images for bulleted lists. This will onlywork in the IE rendering engine because of the JavaScript directive.Not a particularly
useful cross site scripting vector:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
VBscript in an image:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Mocha (older versions of Netscape only):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]
Livescript (older versions of Netscape only):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]
US-ASCII encoding (found by
Kurt Huwig).This uses malformed ASCII encoding with 7 bits instead of 8. This XSSmay bypass many content filters but only works if the host transmits inUS-ASCII encoding, or if you set the
encoding yourself. This is moreuseful against web application firewall cross site scripting evasionthan it is server side filter evasion. Apache Tomcat is the only knownserver that transmits in US-ASCII encoding. I highly suggest anyoneinterested in alternate
encoding issues look atmy charsets issues page:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]
META (the odd thing about meta refresh is thatit doesn't send a referrer in the header - so it can be used forcertain types of attacks where you need to get rid of referring URLs):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
META using data: directiveURL scheme. This is nice because it also doesn't have anything visiblythat has the word SCRIPT or the JavaScript directive in it, because itutilizes base64
encoding. Please see
RFC 2397 for more details or gohere orhere to encode your own. You can
also use theXSS calculator below if you just want to encode raw HTML or JavaScript as it has a Base64 encoding method:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
META with additional URL parameter.If the target website attempts to see if the URL contains "http://" atthe beginning you can evade it with the following technique (SubmittedbyMoritz
Naumann):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
IFRAME (if iframes are allowed there are a lot of other XSS problems as well):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
FRAME (frames have the same sorts of XSS problems as iframes):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
TABLE (who would have thought tables were XSS targets... except me, of course):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
TD (just like above, TD's are vulnerable to BACKGROUNDs containing JavaScript XSS vectors):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
DIV background-image:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
DIV background-image with unicoded XSS exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found byRenaud
Lifchitz as a vulnerability in Hotmail:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
DIV background-image plus extra characters.I built a quick XSS fuzzer to detect any erroneous characters that areallowed after the open parenthesis but before the JavaScript directivein
IE and Netscape 8.1 in secure site mode. These are in decimal butyou can include hex and add padding of course. (Any of the followingchars can be used: 1-32, 34, 39, 160, 8192-8.13, 12288, 65279):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
DIV expression - a variant of this waseffective against a real world cross site scripting filter using anewline between the colon and "expression":
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
STYLE tags with broken up JavaScript for XSS (this XSS at times sends IE into an infinite loop of alerts):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
STYLE attribute using a comment to break up expression (Thanks toRoman Ivanov for this one):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Anonymous HTML with STYLE attribute(IE6.0 and Netscape 8.1+ in IE rendering engine mode don't really careif the HTML tag you build exists or not, as long as it starts with anopen angle bracket
and a letter):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
IMG STYLE with expression (thisis really a hybrid of the above XSS vectors, but it really does showhow hard STYLE tags can be to parse apart, like above this can send IEinto a loop):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
STYLE tag (Older versions of Netscape only):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [NS4]
STYLE tag using background-image:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
STYLE tag using background:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Downlevel-Hidden block (only worksin IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Somewebsites consider anything inside a comment block to be safe andtherefore does not need
to be removed, which allows our Cross SiteScripting vector. Or the system could add comment tags around somethingto attempt to render it harmless. As we can see, that probably wouldn'tdo the job:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
BASE tag. Works in IE and Netscape 8.1 in safemode. You need the // to comment out the next characters so you won'tget a JavaScript error and your XSS tag will render. Also, this relieson the fact that
the website uses dynamically placed images like"images/image.jpg" rather than full paths. If the path includes aleading forward slash like "/images/image.jpg" you can remove one slashfrom this vector (as long as there are two to begin the comment thiswill
work):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
OBJECT tag (if they allow objects, you canalso inject virus payloads to infect the users, etc. and same with theAPPLET tag). The linked file is actually an HTML file that can containyour XSS:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Using an OBJECT tag you can embed XSS directly (this is unverified so no browser support is added):
Using an EMBED tag you can embed a Flash movie that contains XSS.Click here for a demo.If you add the attributes allowScriptAccess="never"
andallownetworking="internal" it can mitigate this risk (thank you toJonathan Vanasco for the info).:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
You can EMBED SVG which can contain yourXSS vector. This example only works in Firefox, but it's better thanthe above vector in Firefox because it does not require the user tohave Flash turned on or
installed. Thanks to
nEUrOO for this one.
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Using ActionScript inside flash can obfuscate your XSS vector:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
XML namespace. The htc file must be located on the same server as your XSS vector:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
XML data island with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 in IE rendering engine mode) - vector found bySec
Consult while auditing Yahoo:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
XML data island with comment obfuscation(this is another take on the same exploit that doesn't use CDATAfields, but rather uses comments to break up the javascript directive):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Locally hosted XML with embedded JavaScriptthat is generated using an XML data island. This is the same as abovebut instead referrs to a locally hosted (must be on the same server)XML file that contains
your cross site scripting vector. You can seethe result
here:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
HTML+TIME in XML. This is how
Grey Magic hacked Hotmail and Yahoo!.This only works in Internet Explorer and Netscape 8.1 in IE renderingengine mode and remember that you need to be between HTML and BODY tagsfor this to work:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Assuming you can only fit in a few characters and it filters against ".js" you can rename your JavaScript file to an image as an XSS vector:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
SSI (Server Side Includes) requires SSI to beinstalled on the server to use this XSS vector. I probably don't needto mention this, but if you can run commands on the server there are nodoubt much more serious
issues:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
PHP - requires PHP to be installed on the serverto use this XSS vector. Again, if you can run any scripts remotely likethis, there are probably much more dire issues:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
IMG Embedded commands - this works when thewebpage where this is injected (like a web-board) is behind passwordprotection and that password protection works with other commands onthe same domain. This
can be used to delete users, add users (if theuser who visits the page is an administrator), send credentialselsewhere, etc.... This is one of the lesser used but more useful XSSvectors:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
IMG Embedded commands part II - this ismore scary because there are absolutely no identifiers that make itlook suspicious other than it is not hosted on your own domain. Thevector uses a 302 or 304
(others work too) to redirect the image backto a command. So a normal <IMG SRC="http://badguy.com/a.jpg">could actually be an attack vector to run commands as the user whoviews the image link. Here is the .htaccess (under Apache) line toaccomplish the vector
(thanks to Timo for part of this):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Cookie manipulation - admittidlythis is pretty obscure but I have seen a few examples where <META isallowed and you can use it to overwrite cookies. There are otherexamples of sites where
instead of fetching the username from adatabase it is stored inside of a cookie to be displayed only to theuser who visits the page. With these two scenarios combined you canmodify the victim's cookie which will be displayed back to them asJavaScript (you
can also use this to log people out or change theiruser states, get them to log in as you, etc...):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
UTF-7 encoding - if the page that the XSSresides on doesn't provide a page charset header, or any browser thatis set to UTF-7 encoding can be exploited with the following (Thanks toRoman
Ivanov for this one). Click
herefor an example (you don't need the charset statement if the user'sbrowser is set to auto-detect and there is no overriding content-typeson the page in Internet Explorer and Netscape 8.1 in IE renderingengine mode). This does not work in any modern browser
without changingthe encoding type which is why it is marked as completely unsupported.Watchfire found this hole in Google's custom 404 script.:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
XSS using HTML quote encapsulation:
-
This was tested in IE, your mileage may vary. For performing XSS onsites that allow "<SCRIPT>" but don't allow "<SCRIPT SRC..."by way of a regex filter "/<script[^>]+src/i":
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
For performing XSS on sites that allow "<SCRIPT>" but don't allow"<script src..." by way of a regex filter"/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i"(this is an important one, because I've seen this regex in the wild):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i":
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Yet another XSS to evade the same filter,"/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i".I know I said I wasn't goint to discuss mitigation techniques but theonly thing I've seen work for this XSS example if you still want toallow <SCRIPT>
tags but not remote script is a state machine (andof course there are other ways to get around this if they allow<SCRIPT> tags):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
And one last XSS attack to evade,"/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i"using grave accents (again, doesn't work in Firefox):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Here's an XSS example that bets on the fact that the regex won't catcha matching pair of quotes but will rather find any quotes to terminatea parameter string improperly:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
URL string evasion (assuming "http://www.google.com/" is programmatically disallowed):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
URL encoding:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Dword encoding (Note: there are other of variations of Dword encoding - see the
IP Obfuscation calculator below for more details):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Hex encoding (the total size of each number allowed is somewhere in theneighborhood of 240 total characters as you can see on the seconddigit, and since the hex number is between 0 and F the leading zero onthe third hex quotet is not required):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Octal encoding (again padding is allowed, although you must keep itabove 4 total characters per class - as in class A, class B, etc...):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Mixed encoding (let's mix and match base encoding and throw in sometabs and newlines - why browsers allow this, I'll never know). The tabsand newlines only work if this is encapsulated with quotes:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Protocol resolution bypass (// translates to http:// which saves a fewmore bytes). This is really handy when space is an issue too (two lesscharacters can go a long way) and can easily bypass regex like"(ht|f)tp(s)?://" (thanks toOzhfor
part of this one). You can also change the "//" to "\\". You doneed to keep the slashes in place, however, otherwise this will beinterpreted as a relative path URL.
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Google "feeling lucky" part 1. Firefox uses Google's "feeling lucky"function to redirect the user to any keywords you type in. So if yourexploitable page is the top for some random keyword (as you see here)you can use that feature against any Firefox user.
This uses Firefox's"keyword:" protocol. You can concatinate several keywords by usingsomething like the following "keyword:XSS+RSnake" for instance. This nolonger works within Firefox as of 2.0.
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Google"feeling lucky" part 2. This uses a very tiny trick that appears towork Firefox only, because if it's implementation of the "feelinglucky" function. Unlike the next one this does not work in Operabecause Opera believes that this is the old HTTP Basic
Auth phishingattack, which it is not. It's simply a malformed URL. If you click okayon the dialogue it will work, but as a result of the erroneous dialoguebox I am saying that this is not supported in Opera, and it is nolonger supported in Firefox as of 2.0:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Google "feeling lucky" part 3. This uses a malformed URL that appearsto work in Firefox and Opera only, because if their implementation ofthe "feeling lucky" function. Like all of the above it requires thatyou are #1 in Google for the keyword in question (in
this case"google"):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Removing cnames (when combined with the above URL, removing "www." willsave an additional 4 bytes for a total byte savings of 9 for serversthat have this set up properly):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Extra dot for absolute DNS:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
JavaScript link location:
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Content replace as attack vector (assuming "http://www.google.com/" isprogrammatically replaced with nothing). I actually used a similarattack vector against a several separate real world XSS filters byusing the conversion filter itself (here
is an example)to help create the attack vector (IE: "java&#x09;script:" wasconverted into "java	script:", which renders in IE, Netscape8.1+ in secure site mode and Opera):
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Character Encoding:
-
All the possible combinations of the character "<" in HTML andJavaScript (in UTF-8). Most of these won't render out of the box, butmany of them can get rendered in certain circumstances as seen above(standards are great, aren't they?):
Browser support reference table:
| IE7.0 |
|
Vector works in Internet Explorer 7.0. Most recently tested with Internet Explorer 7.0.5700.6 RC1, Windows XP Professional SP2. |
|
| IE6.0 |
|
Vector works in Internet Explorer. Most recently tested with Internet Explorer 6.0.28.1.1106CO, SP2 on Windows 2000. |
|
| NS8.1-IE |
|
Vectorworks in Netscape 8.1+ in IE rendering engine mode. Most recentlytested with Netscape 8.1 on Windows XP Professional. This used to becalled trusted mode, but Netscape has changed it's security model awayfrom the trusted/untrusted model and has opted
towards Gecko as adefault and IE as an option. |
|
| NS8.1-G |
|
Vectorworks in Netscape 8.1+ in the Gecko rendering engine mode. Mostrecently tested with Netscape 8.1 on Windows XP Professional |
|
| FF2.0 |
|
Vectorworks in Mozilla's Gecko rendering engine, used by Firefox. Mostrecently tested with Firefox 2.0.0.2 on Windows XP Professional. |
|
| O9.02 |
|
Vector works in Opera. Most recently tested with Opera 9.02, Build 8586 on Windows XP Professional |
|
| NS4 |
|
Vector works in older versions of Netscape 4.0 - untested. |
|
Note: if a vector is not marked it either does not work or it is untested.
|
