1

Possible Duplicate:
New XSS cheatsheet?

Can anyone give me list of ways to encode XSS payload , or to be precise what are the ways to encode XSS payload to bypass encoding of <> or (). I know about double encoding bypass with %253c and Unicode , but I want to know all methods available. Thanks

  • 1
    I'm not 100% certain I understand the intent of your question. It sounds to me like you're trying to obtain a listing of potential ways to circumvent XSS protection. If this is not the case you should re-word your question to reflect your intent. This community is not here to provide ways to exploit. – Purge Jan 19 '12 at 19:06
  • My question is what type of encoding can by used to encode XSS payload and fire up XSS alert, I don't want to exploit anything , I just started learning about XSS , and I went over rsnakes XSS list and new HTML5 XSS vectors , it's just that I want to know , what encoding techniques are used to encode XSS vector. If you could post list of encoding techniques..Thanks – Danijel Maksimovic Maxa Jan 19 '12 at 19:21
  • See also: http://security.stackexchange.com/questions/164/new-xss-cheatsheet – bstpierre Jan 19 '12 at 19:57

2 Answers2

2

I don't think it would be a wise idea to give how-to's on XSS attacks; though many resources exist e.g. Ch. 12 of the WAHH on XSS.

The best way to prevent XSS attacks is to substitute every special character used in these attacks (e.g., <, >, &, ",' with their html character equivalent &lt;, &gt;, &amp;, &quot;, &#39;) for all user-provided text and only allowing users to markup their comments using a limited non-html markup language (like markdown) that only gets substituted into a safe subset of html at the last step of processing. (Also be careful their comments never get executed in any sort of javascript processing you wrote).

If you choose to ignore this, and only sanitizing specific tags (like <script>, <object>, javascript check the sanitation is being done recursively (so <scr<script>ipt> doesn't become <script> after a single-pass sanitation), is case/white-space insensitive, and only stops when the last complete sanitation attempt did not change the input. In python something like

import re
def sanitation_single_pass(user_input):
    pattern = re.compile('<[^>]*(script|object|meta|style)[^>]*>', re.IGNORECASE) 
    # this is very quick sample regex that could appear in a sanitation routine
    # not meant to be inclusive of most XSS threats;
    # e.g. this doesn't prevent having javascript in links or img src, etc.
    return pattern.sub('', user_input)


def sanitation(user_input):
    processed_user_input = sanitation_single_pass(user_input)
    while processed_user_input != user_input:
        user_input = processed_user_input
        processed_user_input = sanitation_single_pass(user_input)
    return processed_user_input

Also pay attention to encoding issues, make sure you define a charset (<meta charset="utf-8"> at the top of your html templates) and that you force user input into this encoding before sanitization. Also try to recognize that some browsers will interpret things like java&#x0A;script as javascript (&#x0A; is a line break), etc.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • Fun note for the day: PHP's `strip_tags` method (which is what I normally use as part of my XSS cleaning) already does this recursive cleaning for you. Quite convenient, although it makes it easy to forget if you ever need to drop something else in instead. – Conor Mancone Aug 28 '17 at 12:16
0

XSS Cheat Sheet, never leave home without it - http://ha.ckers.org/xss.html

Though obviously this should be used to protect yourself and not for malicious intent. The community is here to teach and learn from each other methods of IT Security, not to provide unauthorized access methods.

doyler
  • 602
  • 4
  • 11