9723122, 101 AM XSS Fier Evasion - OWASP Cheat Sheet Series XSS Filter Evasion Cheat Sheet Introduction This articleis foaused on previding application security testing professionals with a quide to assist in Cooss Site Scripting testing. The initial contents of this article were donated to OWASP by Snake, from his seminal XSS Cheat Sheet, which was at: http://ha.ckers.org/xss htm . That site now redirects to itsnew home here, where we plan to maintain and enhance it. The very frst OWASP Prevention Cheat Sheet, the Cross Site Scripting Prevention Cheat Sheet, was inspired by Snakes XSS Cheat Sheet, so we can thank RSnake for our inspiration. We wanted to create short, simple guidelines that developers could follow to prevent XSS, rather than simply telling developers to build apps that could pretect against all the fancy tricks specified in rather complex attack cheat ‘sheet, and so the OWASP Cheat Sheet Series was bom. Tests This cheat sheet lists a series of XSS attacks that can be used to bypass certain XSS defensive filters. Please note that input filtering is an incomplete defense for XSS which these tests can be used to illustrate. Basic XSS Test Without Filter Evasion This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not requiredin any modem browser so they are omitted here: XSS Locator (Polygot) The followingis @"polygct test XSS payload” This test will execute in multiple contexts including him script string js and URL. Thank you to Gareth Heyes for this contribution. javascript :/4--> No Quotes and no Semicolon Case Insensitive XSS Attack Vector HTML Entities “The semicolons are required for this to work: Grave Accent Obfuscation Ifyou need to use bath double and single quctes you can use a grave accent to encapsulate the JavaScript string - this is also useful because Icts of cross site scripting fiters dortt know about grave accents: Malformed A Tags Skip the HREF attribute and get to the mest of the XXS... Submitted by David Cross \~ Verified on Chrome \ Cf Chrome loves to replace missing quctes for you... if you ever get stuck just leave them off and Chrome will put them in the right place and fix your missing quotes on a URL or script \xxs Link\ Intps:i/cheatshectsories.owasp.orgicheatsheetsiXSS_Fier_Evasion_Cheat_ Sheet. html9723122, 101 AM XSS Fier Evasion - OWASP Cheat Sheet Series Malformed IMG Tags Originally found by Begeek (but cleaned up and shortened to work in alll browsers), this XSS vector Uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. | assume this was originally meant to correct sloppy coding. This ‘would make it sionficantly more difficult to correctly parse apart an HTML tags: "\> fromCharCode Ifnoquctes of any Kind are allowed youcan eval() @ fromcharCode in JavaScript to create any XSS vector youneed: Default SRC Tag to Get Past Filters that Check SRC Domain ‘This will bypass most SRC domain fiers. Inserting JavaScript in an event method will also apply to ‘any HTML tag type injection thet uses elements like Form, iframe, Input, Embed etc. Iwill also allow any relevant event for the tagtype to be substituted like onblur, onclick giving you an extensive amount of variations for many injections listed here. Submitted by David Cross . Edited by Abdullah Hussam(@Abdulahhusam). Default SRC Tag by Leaving it Empty Default SRC Tag by Leaving it out Entirely On Error Alert IMG onerror and JavaScript Alert Encode Intps:i/cheatshectsories.owasp.orgicheatsheetsiXSS_Fier_Evasion_Cheat_ Sheet. htmlSS Filer Evasion - OWASP Cheat Sheet Series Decimal HTML Character References All of the XSS examples that use a javascript directive inside cf an Decimal HTML Character References Without Trailing Semicolons This is often effective in XSS that attempts to look for "&4£XX, since most people dor't know about padding - up to 7 numeric characters total. This is also useful against people who decode against strings lke Stmp_string =\~ s/*\&44\d#);4/81/; which incorrectly assumes a semicolon is required to terminatea HTML encoded string (Ive seen thisin the wild): Hexadecimal HTML Character References Without Trailing Semicolons This is also a viable XSS attack against the above string Stmp_string=\~ s/.*\84(\d);/81/ which assumes that there is a numeric character folowing the pound symbol - which is not true with hex HTML characters). ix ABIX61BAX7689X61 &PXT3BAX38AX72EMXGORHXTCBAXTALAXSABHKE 1PXOCRHXOSEAXT2EAXTAR Embedded Tab Used to break up the cross site scripting attack: jay ascript:alert('XSs') ;"> Embedded Carriage Retum to Break-up XSS (Nete: withthe above | am making these strings longer than they have to be because the zeros, could be omitted. Often Ive seen filers that assume the hex and dec encodinghas to be two or three characters. The teal rule is 1-7 characters): Null breaks up JavaScript Directive Null chars also work as XSS vectors but nct like above, you need to inject them directly using something like Burp Proxy r use 69 inthe URL string or if you want to write your awn injection tool you can either use vim (“v*e will produce a null) or the following program to generate itintoa text file. Okay, | led again, older versions of Opera (circa 7:11 on Windows) were vulnerable to one additional char 173 (the soft hyphen control char). But the null char »6e is much mote useful and helpedme bypass certain real world fiters with a variation on this exemple’ perl -e ‘print “IMG SRC=java\@script:alert(\"XSs\")>";" > out Spaces and Meta Chars Before the JavaScript in Images for XSS This is useful ifthe pattem match doesrtt take into account spaces in the word javascript: ~ hich is correct since that wor't render and makes the false assumption that you can't havea space between the quote and the javascript: keyword, The actual reality isyou can have any cchar from 1-32 in decimal: Intps:i/cheatshectsories.owasp.orgicheatsheetsiXSS_Fier_Evasion_Cheat_ Sheet. html9723122, 101 AM XSS Fier Evasion - OWASP Cheat Sheet Series Norralpha-nor-digit XSS The Firefox HTML parser assumes a non-alphe non-digt is not valid after an HTML keyword and thetefore considers itto be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace. For example \ Based on the same idea as above, however.expanded on it, using Rnake fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc...) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this also applies to the grave accent char as seen here: Yair Amit brought this to my attention that there is slightly different behavior between the IE and Gecko rendering engines that allows just a slash between the tag and the parameter with no spaces. This could be useful if the system does not allow spaces. Extraneous Open Brackets Submitted by Franz Sedimaier this XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing comparison of the tag inside, instead of amore efficient algorithm like Boyer-Moore that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the endhg extraneous bracket to suppress a JavaScript err: <alert ("XS") ;//\< No Closing Script Tags In Firefox and Netscape 8.1 in the Gecko rendering engine mode youdortt actuellyneed the \> portion of this Cross Site Scripting vector, Firefox assumes it's safe to close the HTML. tag and add closing tags for you. Hcw thoughtful! Unlike the next one, which doesrit effect Fitefox, this does not require any addtional HTML below it. You can add quctes if you need to, but they're not needed generally, although beware, | haveno idea what the HTML will end up looking like once thisis injected: Intps:i/cheatshectsories.owasp.orgicheatsheetsiXSS_Fier_Evasion_Cheat_ Sheet. html9723122, 101 AM XSS Fier Evasion - OWASP Cheat Sheet Series and you want tojinject your own JavaScript into it but the server side application escapes certain quotes you can circumvent that by ‘escaping their escape character. When this gets injected it willread var a="\\\\" alert(’X88!);://" which ends up un-escaping the double quote and causing the Cross Site Scripting vector tofire, The XSS locator uses this method : Intps:i/cheatshectsories.owasp.orgicheatsheetsiXSS_Fier_Evasion_Cheat_ Sheet. html 1829723122, 101 AM XSS Fier Evasion - OWASP Cheat Sheet Series \tralert(xss");// {An altemative, correct JSON or JaveScript escaping has been applied to the embedded data but not HTML encoding. isto finish the script block and start your own: End Title Tag This is a simple XSS vector that closes INPUT Image BODY Image IMG Dynsrce IMG Lowsrce List-styleimage Fairly esotericissue dealing with embedding images for bulleted lists. This will only workin the IE rendering engine because of the JavaScript directive. Nct a particularly useful cross site scripting vector:

VBscript in an Image Intps:i/cheatshectsories.owasp.orgicheatsheetsiXSS_Fier_Evasion_Cheat_ Sheet. html9723122, 101 AM XSS Fier Evasion - OWASP Cheat Sheet Series Livescript (older versions of Netscape only) SVG Object Tag
STYLE sheet Remate style sheet Using something as simple as a remcte style sheet you can include your XSSas the style Parameter can be tedefined using an embedded expression. This only works in IE and Netscape 8.1+ in IErendering engine made. Notice that there is nathing on the page to shaw that thereis included JavaScript. Note: With all of these remote style sheet examples they use the body tag, £0 itwor't work unless there is some content on the page other than the vector itself so you'll need to add a single letter to the page to make it work if i an otherwise blank page: Remate style sheet part 2 This works the same as above, but uses @ taQif thete is HTML immediately after the vector to close it. Thisis useful if you cannct have ether an equals sign or a slash in your cross site scripting attack, which has come up at least oncein the real world Intps:i/cheatshectsories.owasp.orgicheatsheetsiXSS_Fier_Evasion_Cheat_ Sheet. html 41829723122, 101 AM XSS Fier Evasion - OWASP Cheat Sheet Series Remate style sheet part 3 This only works in Opera 8.0 (no longer in 9.x) but is faint tricky. According to RFC2616 setting a link header isnot part of the HTTP1.1 spec, however some browsers stil allow it (ike Firefox and Opera). The trick here is that | am setting a header (which is basically no different than in the HTTP header saying Link: ; REL=stylesheet ) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is nct supported in FireFox ; RELestylesheet"> Remate style sheet part 4 This only works in Gecko rendering engines and warks by binding an XUL file to the parent page. think the irony here is that Netscape assumes that Gecko is safer and therefore is vulnerable to this for the vast majority of sites: STYLE Tags with Broken-up JavaScript for XSS. This XSS at times sends IE into an infnite loop of alerts: ‘STYLE Attribute using a Comment to Break-up Expression Created ty Roman vanov IMG STYLE with Expression This is really @ hybrid of the above XSS vectors, but it really does show haw hard STYLE tags can be to parse apart, ike above this can send IE into a loop: exp/# STYLE Tag (Older versions of Netscape only) Intps:i/cheatshectsories.owasp.orgicheatsheetsiXSS_Fier_Evasion_Cheat_ Sheet. html 91829723122, 101 AM XSS Fier Evasion - OWASP Cheat Sheet Series STYLE Tag using Backgroundimage STYLE Tag using Background Anonymous HTML with STYLE Attribute 1E6 0 and Netscape 8.1+ in IE rendering engine mode dort really care if the HTML tag you build exists or nct, as long as it starts with an open angle bracket and a letter Local htc File This is alittle different than the above two cross ite scripting vectors because it uses an hte file ‘Which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and runningit as part ofthe style attribute: US-ASCII Encoding US-ASAII encoding (found ty Kurt Huwig).This uses matformed ASCII encoding with 7 bits instead of 8. This XSSmay bypass many content filters but only works if the host transmits in US-ASCH encoding or if you set the encoding yourseff. This is more useful against web application firewall cross site scripting evasion than itis server side filter evasion. Apache Tomcatiis the only kncwn server that transmits in US-ASCIl encoding. ‘scripttalert (¢xsse)4/scripts META Intps:i/cheatshectsories.owasp.orgicheatsheetsiXSS_Fier_Evasion_Cheat_ Sheet. html 161829723122, 101 AM XSS Fier Evasion - OWASP Cheat Sheet Series ‘The odd thing about meta refresh is that it doesrtt send a referrerin the header- so it can beused for certain types of attacks where you need to get rid of referring URLs: META using Data Directive URL scheme, This is nice because it also doesn't have anything visibly that has the word ‘SCRIPT or the JavaScript directive in it, because it utilizes base64 encoding. Please see RFC 2397 formore details or go here or here to encode your own. You can also use the XSS calculator below if you just want to encoderaw HTML or JavaScript as it has @ Base64 encoding method: META with Additional URL Parameter If the target website attempts to see if the URL contains ; atthe beginning you can evade it with the following technique (Submitted by Moritz Naumann} IFRAME. If iframes are allowed there area lot of other XSS problems as well: IFRAME Event Based IFrames and most cther elements can use event based mayhem like the following... (Submitted by: David Cross)