Update: You can get the tutorial in PDF format here: 01-04-15_XSS_Tutorial_Korznikov_Alexander.pdf
This is part 3 of XSS in Real World tutorial.
Part 2 of XSS in Real World tutorial
Part 1 of XSS in Real World tutorial
The interesting thing, that this type of injection can be found on popular websites.
Even if there a sanitation of tags, and equal character – XSS is possible.
We have URL: “http://www.example.com/?id=1&style=blue”
1. Parameter “id” is handled by Server-Side logic, checking for INTEGERIf we pass to the parameter “style” string: ‘blue //single quote
var site.style = ‘blue’
The context will be: var site.style = ‘’blue’
‘’ blue ‘ //unclosed string
In case if ID parameter is handled by client-side, and reflected in context:
var site.id = 1
Injected payload “id=1’trash” will look like:
var site.id = 1’trash
That will also throw an SyntaxError exception.
In case if our payload will look like “style=blue\”
var site.style = ‘blue\’
So we can develop a noninvasive XSS locator:
single quote / double quote / space / greater sign / string / backslash
Some examples that this locator will break: //in case of no filtration
HTML Code break:
RED: Rendered as tags / BLUE: throwed out at the screen
<a href=”http://example.com/?id=1&style=’” >trash\” style=”blablabla”>
RED: Syntax errors
var a = “blue’” >trash\’
var a = ‘blue’" >trash\’
Sometimes web-site logic will escape ’ or ” characters, so try to add to our locator \’\” >trash\ as result you may see:
var a = ‘blue\\’\\” >trash\
\’ as input will be \\’ as output, so our backslash is escaped, and quotation mark rendered.
For example, we can: ‘ale’+’rt’, or ‘a’ - ‘b’ or ‘a’ * ’b’. Google for more info :)
var a = ‘blue’
var a = ‘blue’ - alert(‘xss’) - ‘’ //alert() will be executed
var b = [‘red’,’blue’,alert(‘xss’),’’]
var c = func(‘blue’+alert(/xss/))//) //after “//” the rest of line will be commented
Our second target will be www.nbcunicareers.com, XSS report date: 28/06/2014
For making our life easier we will need FireBug and Hack-Bar Firefox addons.
Entering our XSS locator (‘”>trash\) to the website’s “Find Jobs” input field:
Got us to this URL:
and as response we will get:
As you can see in FireBug’s output, thrown an exception - SyntaxError: missing } after property list.
As you can notice, on lines 570 and 577 the code was broken:
After server-side logic, out XSS locator looks like: ‘">trash\
So the “ and > tags are converted to HTML entities " > accordingly.
Let’s test for other useful characters () and enter this payload: ‘-a()-
pwned again :)
That’s all folks!
Like & Share :)