Filter Bypass in Multi Context

March 10, 2020March 10, 2020 Brute The Art of XSS Payload Building

Some Cross-Site Scripting (XSS) vectors arise from strict but allowed possibilities, forming tricky combinations. It’s all about contexts and sometimes the interaction between different contexts with different filters lead to some interesting bypasses.

Although in the same document (or page), usually the source code of a HTTP response is formed by 3 different contexts: HTML, Javascript and CSS. They have their own syntax and different filters are applied to the output of user input to avoid XSS situations.

Continue reading →

Testing for XSS (Like a KNOXSS)

November 28, 2019December 2, 2019 Brute The Art of XSS Payload Building

Testing for Cross-Site Scripting (XSS) might seem easy at first sight, with several hacking tools automating this process. But regardless of how tests to find a XSS are performed, automated or manually, here we will see a step-by-step procedure to try to find most of the XSS cases out there.

For that we will use the same approach employed by KNOXSS, our online XSS PoC tool. Although without details of its own implementation and intermediary steps needed to make its decisions (which will be done by ourselves if we follow the tests manually), this will cover pretty much what is done by this unique tool.

Continue reading →

XSS via HTTP Headers

August 21, 2019August 21, 2019 Brute The Art of XSS Payload Building

In some cases, an information passed in one of the HTTP headers of the application is not correctly sanitized and it’s outputted somewhere in the requested page or in another end, giving rise to a XSS situation.

But unfortunately, once an attacker can’t make a victim to edit his/her own HTTP headers in an actual XSS attack, those scenarios can only be exploited if the attacker payload remains stored somehow. Continue reading →

XSS in Limited Input Formats

March 11, 2019March 11, 2019 Brute The Art of XSS Payload Building

Testing for XSS vulnerabilities requires knowing the data format of input. Usually the format is simply “string” without any restrictions but sometimes the manipulation of XSS entry point is limited.

In most of times it might lead to the assumption of a security filter, one designed/employed specifically to avoid the attack which is not true.

Continue reading →

Advanced JavaScript Injections

December 11, 2018December 11, 2018 Brute The Art of XSS Payload Building

Simple JavaScript injections like ‘-alert(1)-’ or even \’-alert(1)// (see cases #6 and #7 here) are usually enough to pop an alert box in a vulnerable page when an input reflection happens inside a script block and no HTML injection is possible (case #5 of same post above).

But there are cases where the injection point lands in the middle of a more complex JS code: inside functions and conditionals (if or if+else), nested inside each other.

Continue reading →

Quoteless Javascript Injections

September 17, 2018November 3, 2018 Brute The Art of XSS Payload Building

In multi reflection scenarios, like we already have seen here, it’s possible to use payloads in such a way that avoid filters and WAFs (Web Application Firewalls) due to the change in the order of its elements.

But in source-based JS injections (those which happen in script blocks) there’s another interesting consequence of having more than one reflection point.

Continue reading →

DOM-based XSS – The 3 Sinks

April 16, 2018November 3, 2018 Brute The Art of XSS Payload Building

The most common type of XSS (Cross-Site Scripting) is source-based. It means that injected JavaScript code comes from server side to execute in client side.

But there’s another main type, the DOM-based one, where injected malicious input does not come from server via reflected or stored means: XSS is generated in client side by native JavaScript code.

Continue reading →

Chrome XSS Auditor – SVG Bypass

August 14, 2017November 3, 2018 Brute The Art of XSS Payload Building

More than an year ago, in my private twitter account Brutal Secrets, I shared an interesting way to bypass Google’s Chrome anti-XSS filter called XSS Auditor. We will see now in details, from a blackbox perspective, a logical sequence of assumptions and conclusions that leads to our XSS vector responsible for the bypass.

Continue reading →

The 7 Main XSS Cases Everyone Should Know

July 10, 2017November 3, 2018 Brute The Art of XSS Payload Building

When reading material on XSS subject we usually see the classical <script>alert(1)</script> as an demonstration of such vulnerability (PoC – Proof of Concept). While very true, it doesn’t go much beyond this, making the novice in this field to look for more in order to deal with real world scenarios.

Continue reading →

Compromising CMSes with XSS

June 5, 2017November 3, 2018 Brute The Art of XSS Payload Building

CMSes (Content Management Systems) are a perfect target for XSS attacks: with their module installation features and the possibility to know all the requests done by a legit administrator of the system previously, it’s pretty easy to mount a CSRF (Cross-Site Request Forgery) attack against him/her.

Continue reading →

Brute XSS

Master the art of Cross Site Scripting.

Filter Bypass in Multi Context

Testing for XSS (Like a KNOXSS)

XSS via HTTP Headers

XSS in Limited Input Formats

Advanced JavaScript Injections

Quoteless Javascript Injections

DOM-based XSS – The 3 Sinks

Chrome XSS Auditor – SVG Bypass

The 7 Main XSS Cases Everyone Should Know

Compromising CMSes with XSS

Enjoy this blog? Please spread the word :)

XSS Cheat Sheet