Jump to content
Aerosol

XSS Auditor bypass

By Aerosol, in Securitate web

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted

XSS Auditor is getting pretty good at least in the tests I was doing however after a bit of testing I found a cool bypass. Without studying the code it seems that it checks for valid JavaScript within the vector, I thought I could use this to my advantage. I came up with the idea of using an existing script block to smuggle my vector and reusing the closing script on the page. The page contains a script block like this:

<script>x = "MY INJECTION"</script>

As every XSS hacker knows you can use a “</script>” block to escape out of the script block and inject a HTML XSS vector. So I broke out of the script block and used the trailing quote to form my vector. Like so:

</script><script>alert(1)+"

You could of course use a standard ",alert(1)," but what if quotes are filtered? I then came up with the idea of using SVG and an HTML escaped quote. This bypasses the filter and is a HTML XSS vector that doesn’t have a DOM vulnerability so it’s within scope of the filter and is very common in my experience. Here is the final vector:

<script>
x = "</script><svg><script>alert(1)+"";

XSS auditor PoC: HERE

Source

Aerosol Newbie

Aerosol

Posted
  • Author
Posted

Another XSS auditor bypass

This bug is similar to the last one I posted but executes in a different context. It requires an existing script after the injection because we use it to close the injected script. It’s a shame chrome doesn’t support self closing scripts in HTML or within a SVG element because I’m pretty sure I could bypass it without using an existing script. Anyway the injection uses a data url with a script. In order to bypass the filter we need to concat the string with the quote from the attribute or use html entities such as:

&sol;&sol;

.

EX: 

%22%3E%3Cscript/src=data:,alert(1)%26sol;%26sol;

The HTML parser doesn’t care how much junk is between the opening and closing script since we are using a src attribute.

P.O.C

http://challenge.hackvertor.co.uk/script3.php?x=%22%3E%3Cscript/src=data:,alert(1)%2b%22

P.O.C

http://challenge.hackvertor.co.uk/script3.php?x=%22%3E%3Cscript/src=data:,alert(1)%26sol;%26sol;

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...