From 370dc51e7a72902ee377d80f04fd76b2fa536d65 Mon Sep 17 00:00:00 2001 From: Jeymz Simmons Date: Wed, 7 Aug 2024 17:19:34 -0400 Subject: [PATCH] Update to include modern examples - Updated examples to use a href attribute instead of img src attribute since most modern browsers no longer support javascript evaluation withing img src --- cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md b/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md index 9c9d5ff97e..e70fa934ac 100644 --- a/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md +++ b/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md @@ -58,7 +58,7 @@ This XSS method uses the relaxed rendering engine to create an XSS vector within If the system does not allow quotes of any kind, you can `eval()` a `fromCharCode` in JavaScript to create any XSS vector you need: ```html - +Click Me! ``` ### Default SRC Tag to Get Past Filters that Check SRC Domain @@ -100,7 +100,8 @@ This attack will bypass most SRC domain filters. Inserting JavaScript in an even Since XSS examples that use a `javascript:` directive inside an ` + + Click Me! ``` ### Decimal HTML Character References Without Trailing Semicolons @@ -108,7 +109,7 @@ Since XSS examples that use a `javascript:` directive inside an ` +Click Me ``` ### Hexadecimal HTML Character References Without Trailing Semicolons @@ -116,7 +117,7 @@ This is often effective in bypassing XSS filters that look for the string `&\#XX This attack is also viable against the filter for the string `$tmp\_string=\~ s/.\*\\&\#(\\d+);.\*/$1/;`, because it assumes that there is a numeric character following the pound symbol - which is not true with hex HTML characters: ```html - +Click Me ``` ### Embedded Tab @@ -125,7 +126,7 @@ This approach breaks up the XSS attack: ```html - + Click Me ``` @@ -134,7 +135,7 @@ This approach breaks up the XSS attack: This approach can also break up XSS: ```html - + Click Me ``` ### Embedded Newline to Break Up XSS @@ -142,7 +143,7 @@ This approach can also break up XSS: While some defenders claim that any of the chars 09-13 (decimal) will work for this attack, this is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. Examine the [ASCII table](https://man7.org/linux/man-pages/man7/ascii.7.html) for reference. The next four XSS attack examples illustrate this vector: ```html - +Click Me ``` #### Example 1: Break Up XSS Attack with Embedded Carriage Return @@ -150,7 +151,7 @@ While some defenders claim that any of the chars 09-13 (decimal) will work for t (Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I've seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters.): ```html - +Click Me ``` #### Example 2: Break Up JavaScript Directive with Null @@ -166,7 +167,7 @@ perl -e 'print "";' > out This is useful if a filter's pattern match doesn't take into account spaces in the word `javascript:`, which is correct since that won't render, but makes the false assumption that you can't have a space between the quote and the `javascript:` keyword. The actual reality is you can have any char from 1-32 in decimal: ```html - +Click Me ``` #### Example 4: Non-alpha-non-digit XSS