Alternate XSS Syntax
Last revision (mm/dd/yy): 09/5/2008
ASDR Table of Contents
Related Security Activities
Description of Cross-site Scripting Vulnerabilities
See the OWASP article on Cross-site scripting Vulnerabilities.
How to Avoid Cross-site scripting Vulnerabilities
How to Review Code for Cross-site scripting Vulnerabilities
How to Test for Cross-site scripting Vulnerabilities
XSS attacks have to pass two hurdles. First they must get through the application without being filtered, validated, or encoded in a way that prevents them from executing. Second, they much be carefully crafted so that they seamlessly insert their payload into the HTML document so that it will run when loaded by the browser.
In effect we may try to bypass more or less successful input data filtering methods. Some JS and HTML constructions after encoding are correctly interpreted by some browsers, nonetheless it often varies on the web browser version, and others are not.
If we want to use popular <script> tags anyway, we may try to bypass filtering replacing given characters with their equivalents:
From To < < > > ( ( ) ) # # & & " "
In this case:
<script>alert('y0u ar3 0wn3d!');</script>
would be replaced with:
<script>alert('y0u ar3 0wn3d!')</script>
In most contexts this encoded string will not execute. However there are some environments, particularly Ajax and XML processing engines, that will automatically decode these encoded characters and allow the attack to execute.
We don't need to do replacement at all, we may get the same effect in many different ways.
XSS using Script in Attributes
XSS attacks may be conducted without using <script></script> tags. Other tags will do exacly the same thing, e.g.:
or other attribites like: onmouseover, onerror.
<b onmouseover=alert('Wufff!')>click me!</b>
<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>
XSS using Script Via Encoded URI Schemes
If we need to hide against web application filters we may try to encode string characters, e.g.: a=A (UTF-8) and use it in IMG tag:
There are many different UTF-8 encoding notations what give us even more possibilities.
XSS using code encoding
We may encode our script in base64 and place it in META tag. This way we get rid of alert() totally. More information about this method can be found in RFC 2397
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg">
These (just a little modified by me) and others examples can be found on http://ha.ckers.org/xss.html, which is a true encyclopedia of the alternate XSS syntax attack.
Related Threat Agents
- HTML Entity Encoding
- Use whitelists and if it's possible specify detailed format of the expected output data.