XSS in HTML Tag Attributes

(In html tag "img", attribute is "src")

XSS context is into an HTML tag attribute value.

Terminate the attribute value, close the tag, and introduce a new one like below:

"><script>alert(document.domain)</script>

Likely angle brackets will be blocked or encoded, so can't break out of the tag, instead introduce an attribute to the tag that allows scriptable context (invoke js) like event handler (onload,etc)

" autofocus onfocus=alert(document.domain) x="

executes js when element in focus, also autofocus automatically focusses on element, "x=" to act as a comment and handle original content of tag.

LAB 1 : Reflected XSS into attribute with angle brackets HTML-encoded

Into HTML tag attribute that can create scriptable context

Execute JavaScript without needing to terminate the attribute value. href attribute of anchor tag can execute script using pseudo-protocol:

LAB 2 : Stored XSS into anchor href attribute with double quotes HTML-encoded

Using testing string (XSS Locator Polyglot) to identify XSS location:

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

I used the anchor tag payload, but alert didn't pop after visiting the page. Had to click on the anchor element itselt to trigger the xss.

Situation: Angle brackets are encoded. Can inject into tags that don't fire events automatically like canonical tags.

You can exploit this behavior using access keys and user interaction on Chrome. Access keys allow you to provide keyboard shortcuts that reference a specific element.

accesskey attribute defines a letter that when pressed in combination to other keys (depends on browser used), fires an event. This accesskey is linked to element and fires an event onto the same.

XSS in canonical link tag

Use will invoke events defined on canonical link tag and payload will be executed. On chrome it is triggered using Shift+Alt+"character specified in the tag"

LAB 3 : Reflected XSS in canonical link tag

Description:

This lab reflects user input in a canonical link tag and escapes angle brackets.

To solve the lab, perform a cross-site scripting attack on the home page that injects an attribute that calls the alert function.

To assist with your exploit, you can assume that the simulated user will press the following key combinations:

  • ALT+SHIFT+X

  • CTRL+ALT+X

  • Alt+X

Please note that the intended solution to this lab is only possible in Chrome.

Detection:

https://chrome.google.com/webstore/detail/inspect-canonical/glkngfenfpegejlggjfcmdobodjlfann/related?hl=en

Trying to escape the href attribute to run canonical link payload:

Using XSS polygot as value to a dummy url parameter

Polyglot string exits the href attribute
The single quote is responsible for exiting the href

Attack:

Payload to insert into response
Adding payload
Adding full canonical link xss payload
Press Shift+Alt+x to trigger xss payload. Valid as canonical trigger results in attacker code execution

XSS in JavaScript

When the input is returned inside a Javascript of the page.

Terminate existing script

In this case, we try to close the "script" tags our input gets inserted into and then introduce new HTML tags that trigger JavaScript execution.

In the example below, our input is inserted into js variable.

With this ability we manipulate js to close the "script" tag and introduce html that will allow to control js execution.

Note: Payload doesn't contain single quote to close the input var defination. This doesn't stop us. All that matters is that our payload closes </script> tag gracefully. When page is parsed, first HTML DOM is created and hence our input is treated first to form DOM (based on tags). HTML events are handled. Then the non-closed input var error occurs in js. But, we don't care as HTML events have already occured by our payload. In other words we needn't escape the input var (even if breaks script), just be able insert HTML tags.

Errors in JS are redundant, as XSS happens using HTML tags Hence, all care is if html tags can inserted into the page.

LAB 4 : Reflected XSS into a JavaScript string with single quote and backslash escaped

Polyglot into input
The first 2 single quotes of payload are escaped as \'\' Angle brackets are allowed, should be sufficient.
Trying to escape script tag by closing it using </script>
Page source reveals where the trash strings come from

Introducing onload xss payload after terminating existing script tags

Breaking out of a JavaScript string

For cases when angle brackets in input are HTML encoded.

Unlike in the previous example where we try to break from JS scripts' <script> tag and execute js using HTML tag. (Can't as can't introduce required angle brackes for tags)

Here, We try to execute js from within the script the input is inserted into. For this we must make sure js executes gracefully i.e no errors caused or our payload doesn't break the JS script, as our payload would be executed by the same JS script and error prevents its execution.

For example previous case + bracket html encoding, payload needs to close variable definition, include attack js command, Comment out remaining single quote as opening quote closed in step 1.

This would

LAB 5 : Reflected XSS into a JavaScript string with angle brackets HTML encoded

Polyglot reveals <> are HTML encoded

Single quote left not handled, hence causes error, No alert is generated as execuion error

After fixing error by handling the single quote left, payload correctly executed:

Escaped Single quote with backslash

Application prevents breaking out of JS by escaping single quote with backslash.

is escaped and inserted into JS as

\' is interpreted by browser literally as ' and not a special character that can terminate a JS string.

Loophole: Anything after a backslash is interpreter literally. So what if we backslash a backslash that gets added before ' . This will make the make the backslash app adds to escape quote, a literal backslash and therefore it won't be able to escape our single quote as intended.

Initial payload:

Quote is escaped (\') and is treated as literal character and not special character that can terminate js string.

Bypass:

A backslash is added before the quote, results in \\', when the browser renders this, the \\ is interpreted as a literal \ not a special character that can escape our quote

LAB 7 : Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped

Polyglot reveals ' is escaped along with others:

Bypassing:

Fixing the ending for execution:

XSS when characters blocked on different level (like WAF)

Defenses between user and website, block payloads from reaching the latter.

Defenses check from a whitelist to decide what requests to permit and block. Usually on the basis of the request containing data of (/resembling a) well known attack payload. This would affect the functions we use to perform xss.

Defense:

On such defense is to block parentheses. This blocks an alert() payload.

Bypass: "throw" statement with exception handler. Enables to pass arguments without using parentheses.

How: onerror: This

LAB 8 👍:Reflected XSS in a JavaScript URL with some characters blocked

https://esdiscuss.org/topic/hacking-onerror-throw

Use of HTML-encoding

In this case, the user controlled data inserted into (XSS context) a quoted tag attribute of Javascript code in response page. For instance, user input reflected in returned javascript in a variable definition.

The onclick action, executes some javascript, and our input is reflected within single quotes in the js code.

XSS context:

<a href="#" onclick="... var input='controllable data here'; ...">

Application blocks/escapes single quotes, so can't exit "input=" using them.

For this case, use HTML entity representing an apostrophe or single quote:

&apos;

Payload becomes:

&apos;-alert(document.domain)-&apos;

Why this works?

Because, the browser HTML-decoded the onclick attribute before the JavaScript within it interpreted. Therefore the HTML entity &apos; is decoded as quote, and becomes string delimiters when javascript interepretation kicks in.

LAB 9: Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

To discover:

insert &apos; into all input parameters.

XSS in JavaScript template literals

Template literals are literals delimited with backtick (`) characters. Commonly for string interpolation.

literals can also contain other parts called placeholders : embedded expressions delimited by a dollar sign and curly braces: ${expression}

Lab 10:

Here, we searched for aaaa, and got the following response:

Note var message is defined using ` quotes hence message is a template literal

You can see that the var message is defined using JavaScript template literals and then, this variable is inserted into 'searchMessage' id element.

To exploit, lets can use String Interpolation in JS. i.e use of ${} within Template Literals ``

String interpolation executes embeded javascript expression within it i.e ${}.

This string interpolation is used when defining a template literal and is executed when the later is processed.

String Interpolation allows to execute ${1+1} to get 2.

This way we can execute arbitrary Javascript. Lets try for alert.

${alert('a')} wont' work as single quotes are disabled.

This means, first javascript is executed within string template, regardless the error, execution goes through. Any alert is executed as below.
${alert(document.domain)}

XSS in AngularJS sandbox context

Possible to exploit XSS in AngularJS context

PreviousSVG elementsNextXSS Locator Polyglot

Last updated

Was this helpful?