Exploiting XSS in jQuery without equal character?

Question

This is some vulnerable JavaScript code:

$(document).ready(function(){
    var payload = unescape(document.location.hash.substr(1));
    $(payload);
    document.body.innerText = "The payload is: " + payload;
});

When I tried exploiting it with this input

http://localhost/xss.html#<img src=x onerror=alert(0)>

it worked fine, popping up the alert. My case is slightly different, there's a little filter that prevents the exploit:

$(document).ready(function(){
    var payload = unescape(document.location.hash.substr(1));
    payload = payload.split('=')[0];  // <------- The new filter
    $(payload);
    document.body.innerText = "The payload is: " + payload;
});

It truncates everything after the "=" character, which means I can't inject attributes. I already tried the following, but it did not work:

HTML encode the equal character (onerror&equal;alert())
<script>alert(0);</script>

Anyone have an idea what I can do to bypass this filter?

Owh, sorry i forgot to mention this - The payload works on Internet Explorer. IE does not have that auto url encoding feature. — AlmightyGoat, Apr 08 '18 at 18:38

score 1 · Answer 1 · answered Nov 30 '18 at 13:25

I think it is safe to say at this point that there is no trivial/text-book bypass for this filter using a modern browser. I shared this snippet of code with a group of friends and colleagues who I consider proficient in XSS and none of them could construct a bypass.

score -2 · Answer 2 · edited Sep 26 '18 at 18:39

-2

You can try the encoded character equivalent to what you are trying to input. Try using URL encoding on the payload portion of your input to bypass this filter.

For instance, you can URL encode "=" to %3D or URL encode <img src=x onerror=alert(0)> to %3Cimg+src%3Dx+onerror%3Dalert%280%29%3E

This will bypass the filter if it is expecting "="

Alternatively, since it looks like you are running this on your localhost, use a proxy tool such as Burp Suite to intercept your requests/responses, you can play around with different payloads to test your XSS payloads.

edited Sep 26 '18 at 18:39

xorist

870
4
15

answered Sep 26 '18 at 18:32

geforceGTX480

91
7

The question contains the code of the filter: it will decode any URL-encoded payload. This bypass, quite useful in other cases, can't work here. – Benoit Esnard Sep 27 '18 at 14:08

Dmitry Lavochkin · Answer 3 · 2018-11-07T21:42:30.040

-5

you should encode it. something like this will work:

 eval(String.fromCharCode(/*list of codes of payload*/))

you need to split payload into the caracters and convert them one-by-one into ints. you can make a script for it.

also you might want to look at atob and btoa.

edited Nov 07 '18 at 21:42

answered Nov 07 '18 at 21:33

Dmitry Lavochkin

1
2

Exploiting XSS in jQuery without equal character?

3 Answers3