Aerosol Posted February 19, 2015 Report Share Posted February 19, 2015 XSS Auditor is getting pretty good at least in the tests I was doing however after a bit of testing I found a cool bypass. Without studying the code it seems that it checks for valid JavaScript within the vector, I thought I could use this to my advantage. I came up with the idea of using an existing script block to smuggle my vector and reusing the closing script on the page. The page contains a script block like this:<script>x = "MY INJECTION"</script>As every XSS hacker knows you can use a “</script>” block to escape out of the script block and inject a HTML XSS vector. So I broke out of the script block and used the trailing quote to form my vector. Like so:</script><script>alert(1)+"You could of course use a standard ",alert(1)," but what if quotes are filtered? I then came up with the idea of using SVG and an HTML escaped quote. This bypasses the filter and is a HTML XSS vector that doesn’t have a DOM vulnerability so it’s within scope of the filter and is very common in my experience. Here is the final vector:<script>x = "</script><svg><script>alert(1)+"";XSS auditor PoC: HERESource Quote Link to comment Share on other sites More sharing options...
Aerosol Posted March 1, 2015 Author Report Share Posted March 1, 2015 Another XSS auditor bypassThis bug is similar to the last one I posted but executes in a different context. It requires an existing script after the injection because we use it to close the injected script. It’s a shame chrome doesn’t support self closing scripts in HTML or within a SVG element because I’m pretty sure I could bypass it without using an existing script. Anyway the injection uses a data url with a script. In order to bypass the filter we need to concat the string with the quote from the attribute or use html entities such as: //. EX: %22%3E%3Cscript/src=data:,alert(1)%26sol;%26sol;The HTML parser doesn’t care how much junk is between the opening and closing script since we are using a src attribute.P.O.Chttp://challenge.hackvertor.co.uk/script3.php?x=%22%3E%3Cscript/src=data:,alert(1)%2b%22P.O.Chttp://challenge.hackvertor.co.uk/script3.php?x=%22%3E%3Cscript/src=data:,alert(1)%26sol;%26sol;Source Quote Link to comment Share on other sites More sharing options...
