Introduction
XSS is one of the most common web vulnerability, XSS attacks are often overlooked by administrators while there are a lot of way to exploit this vulnerability.
In this tutorial i will explain how to bypass xss filters with few tricks.
Remember first you must know XSS attack vectors because there are different way to attack with Cross Site Scripting and the vulnerability might not be where we think it is. Sometimes the vulnerability is exploited via the $_GET method, but the vulnerability may also be exploited via $_POST, $_COOKIE or $_SERVER.
Required
For this tutorial attacker will require the followings :
A Web Browser
Text Editor
Web Server (Apache + PHP)
Without filters
Here is an exemple of XSS vulnerability without filters, imagine a page http://localhost/page.php?name=John with the following code.
You can basicaly exploit it via URL editing.
Result : http://localhost/page.php?name=<script>alert('XSS')</script>
Bypass a basic str_replace() filter
Now imagine the php code looks like the one below, you can't pass the script string.
Nothing hard, just Uppercase one or few letters.
Result : http://localhost/page.php?name=<ScrIpt>alert('XSS')</ScriPt>
Bypass XSS filter of htmlentities()
In my opinion this is the most interesting part because alot of website are using htmlentities() function against XSS it's only efficient against double quotes. I will show you how to bypass a XSS filter htmlentities().
This is how i generally bypass htmlentities(), dont use <, > or " and make use of HTML events.
Result : http://localhost/page.php?img=.' onerror='alert("XSS")
Bypass XSS filter using data URIs
This is not a well know vulnerability but it bypass almost all XSS filters, data URI's are generally used for images to keep them as text in a HTML document.
I noticed that sometimes you can use it to bypass XSS filter htmlspecialchars(). The vulnerable page is designed to show a URI image from the following URL.
http://localhost/page.php?img=data:image/gif;base64,R0lGODlhAQABAIAAAP7//wAAACH5BAAAAAAALAAAAAABAAEAAAICRAEAOw==
By modifying the data type from an image/gif to a text/html and the data content it's possible to exploit XSS
Result : http://localhost/page.php?img=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
XSS is one of the most common web vulnerability, XSS attacks are often overlooked by administrators while there are a lot of way to exploit this vulnerability.
In this tutorial i will explain how to bypass xss filters with few tricks.
Remember first you must know XSS attack vectors because there are different way to attack with Cross Site Scripting and the vulnerability might not be where we think it is. Sometimes the vulnerability is exploited via the $_GET method, but the vulnerability may also be exploited via $_POST, $_COOKIE or $_SERVER.
Required
For this tutorial attacker will require the followings :
A Web Browser
Text Editor
Web Server (Apache + PHP)
Without filters
Here is an exemple of XSS vulnerability without filters, imagine a page http://localhost/page.php?name=John with the following code.
You can basicaly exploit it via URL editing.
Result : http://localhost/page.php?name=<script>alert('XSS')</script>
Bypass a basic str_replace() filter
Now imagine the php code looks like the one below, you can't pass the script string.
Nothing hard, just Uppercase one or few letters.
Result : http://localhost/page.php?name=<ScrIpt>alert('XSS')</ScriPt>
Bypass XSS filter of htmlentities()
In my opinion this is the most interesting part because alot of website are using htmlentities() function against XSS it's only efficient against double quotes. I will show you how to bypass a XSS filter htmlentities().
This is how i generally bypass htmlentities(), dont use <, > or " and make use of HTML events.
Result : http://localhost/page.php?img=.' onerror='alert("XSS")
Bypass XSS filter using data URIs
This is not a well know vulnerability but it bypass almost all XSS filters, data URI's are generally used for images to keep them as text in a HTML document.
I noticed that sometimes you can use it to bypass XSS filter htmlspecialchars(). The vulnerable page is designed to show a URI image from the following URL.
http://localhost/page.php?img=data:image/gif;base64,R0lGODlhAQABAIAAAP7//wAAACH5BAAAAAAALAAAAAABAAEAAAICRAEAOw==
By modifying the data type from an image/gif to a text/html and the data content it's possible to exploit XSS
Result : http://localhost/page.php?img=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
No comments:
Post a Comment