4

Is it possible to construct a XSS payload without the use of these chars - &<>"=()? The server is not doing any output encoding.

Consider both the cases where the user input is being put into 1. attribute value, 2. HTML body.

Arka
  • 551
  • 2
  • 6
  • 11
  • OWASP XSS Evasion Cheat Sheet is your friend - https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet – iainpb Nov 08 '17 at 09:12
  • if you cloud insert `()` you cloud use the http://www.jsfuck.com/ to write the XSS you want and it will be converted to only this symbols: `()+[]!` – Ben.S Sep 16 '22 at 12:03

2 Answers2

5

Generally, no. At least not without preconditions (some of which @tim has lined out), because:

  • You can only escape from an attribute value by introducing the matching quote. (I assume you're referring to a double-quoted attribute, so a payload without " doesn't get you beyond the attribute value. Obviously, you could escape from a single-quoted attribute because ' isn't blacklisted, or from an unquoted one by using a space.)

  • In the data state (outside of any tags) you can only achieve XSS by introducing new tags. Everything else is just treated as data. So if < is blacklisted, you're out of luck.

Arminius
  • 43,922
  • 13
  • 140
  • 136
5

@Arminius covered it pretty well. But there are exceptions depending on the HTML attribute. Here are just two examples (others exist, mostly related to URLs, but onX and some other attributes are also special cases; additionally, with the use of JS frameworks script gadgets may also be used).

href attribute:

// user-supplied link:
<a href="[user_input]">click</a>

attack: 

javascript:alert`1`

meta attribute:

// user-supplied link for redirect:
<meta http-equiv="refresh" content="0;url=[user_input]">

attack:

data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
tim
  • 29,018
  • 7
  • 95
  • 119