The login page of this web application has a feature where the userid could be pre-set on the login form. Let's take this example:
Request: login.asp?userid=EvilXSS
[...]
<form>
<input type="text" name="userid" value="<%= customXSSFilter(Request.QueryString("userid")) %>">
[...]
Closing the input tag isn't an option, as the needed character is encoded by customXSSFilter(). As double-quotes aren't encoded, we could close the value attribute without troubles and therefore execute CSS Expressions if the victim is running IE below version 8. But the aim is to find a proof of concept that code can be executed on any browser.
Instead of adding a style attribute with our JavaScript payload, we'll add an event where this will also be possible. Event onfocus works on the input tag and requires little user-interaction to get fired by the browser. But what kind of malicious action can we do, as ( and ) get encoded and are required for most of the JavaScript methods?
An action which doesn't require parenthesis to run is to redirect the user using location.href = [destination]. But specifying an URL in the injected event (such as " onfocus="location.href='http://target') doesn't work according to plan as single quotes are also encoded.
The trick relies on a specificity of the input tag, which allows an attribute named src for the case its type is button. As we can create as many attributes as wanted, we can finally inject the following payload onto the login page:
Request: login.asp?userid=EvilXSS" src="http://malicious.website" onfocus="location.href=this.src
HTML result:
[...] <form> <input type="text" name="userid" value="EvilXSS" src="http://malicious.website" onfocus="location.href=this.src"> [...]
Morality: blacklist, especially self-made ones, are rubbish. Use only white lists or libraries written by security professionals.
5 réactions
1 De Campbell Tyler - 24/05/2020, 11:37
So pleasing! https://www.facebook.com/pg/essayse...
2 De Kristina Roberts - 26/05/2020, 16:16
What a timely bit now! Thank you so much for such a great post.
How did you find numerous details? I like how that you arrange everything, as it is really easy
to read. In general, I will recommend this guide to everybody who is interested in that subject.
https://google.at/url?q=https://edu...
3 De Rivers Karen - 29/07/2020, 12:02
OMG, I feel like you simply undergo my mind! I use certainly never seen anyone believe an approach that matched mine in so
many components. https://xfreeslots.com/slot/88-luck... are actually generally also
fairly efficient at this, however. But the internet is as a result filled with useless text message, I registered instantly to certainly not miss out on any sort of
updates.
4 De Julian Knight - 29/07/2020, 16:53
The lot of resources you experienced to write this item
has to possess acquired been actually overpriced. That
is thus uncommon nowadays, to possess someone investigation the subject well
and provide it in a great reasonable means. I really via the just
individuals that perform this was actually https://xfreeslots.com/slot/buffalo... Now I possess the crawler even more opinion in the internet community.
5 De Garcia Warren - 01/03/2021, 23:20
I truly liked this article, you've reprinted. The previous time
I've read some thing alike good was using this particular post at https://images.google.fm/url?q=http...
Thankyou for you deep knowledge of the topic and for sharing it with
people. The language of this article is amazing. Keep up the fantastic work!