Login/Register
Execute JavaScript for XSS without script tags
Asked Answered
Solved javascripthtmlsecurityxss
A

5

17

I am learning about XSS (for ethical purposes), and I was wondering how to execute some JavaScript code without using <script> tags. This is within the

HTML tag:

"The search term" <p> *JavaScript here* </p> "returned no results"

For some reason, the script tags are not working.

Adsorbate answered 25/5, 2016 at 10:58 Comment(3)
A short search on google will show you this: Cross-site Scripting (XSS), XSS Filter Evasion Cheat Sheet and excess-xss.com I guess this will be a good starting point.Abduction
Thank you for those links, but they don't contain the solution to this. I think it has to do with the double quotes around the strings "The search term" and "returned no results" , because in the absence of those quotes, the <script> tag works fineAdsorbate
I don't see any script tags here, nor example where you proof your statement (an example where js is executed and one where not), in which context your snipped is used/evaluated, ... . If this is plain html then the it does not matter if there are " around the text or not.Abduction
C
17
  1. Try putting in different types of strings with special characters and look if any of these get encoded or outputed. (I personaly use '';!--"<XSS>=&{()})
  2. Now you have three options:
    1. Inside a HTML Tag: The <> won't matter, because you are already inside a HTML Tag. You can look if this Tag supports Events and use some kind of onload=alert(1) or other event. If <> is allowed, you can break out and create your own tag '><img src=0 onerror=alert(1)>
    2. Outside of HTML Tag: the <> are important. With these you can open a new Tag and the whole world is below your feet (or so...)
    3. Inside Javascript: Well...if you can break out of a string with '", then you can basically write ';alert(1)
  3. Craft your XSS accordingly to your encoded characters and the surrounding of where the string get's outputed

<XSS> disappears entirely: the application uses some kind of strip_tags . If you are outside of a HTML Tag and no HTML Tags are whitelisted, I unfortunatly don't know any method to achieve an XSS.

Crafting your own payload

There are various methods to achieve this and too much to name them all. Look on these two sites, which have a lot of the methods and concept to construct your own. It comes down to: What the page allows to go through.

  1. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_Locator_.28short.29
  2. https://html5sec.org/
Capillary answered 25/5, 2016 at 11:23 Comment(3)
In the comments the OP said that those links don't answer the question. (html5sec was not on the list, but it contains the same/similar information)Abduction
@Abduction yeah...saw that later on, changed to answer to a simple howto. And no...html5sec provides much more different tags, because a lot of filters don't filter the new html5 tags.Capillary
Thank you for the detailed explanation. I tried your method (entering "'';!--"<XSS>=&{()})"), and all the characters are being displayed on the page, ie, none are filtered out. When I click "Inspect Element", I see that this text is being displayed within 2 <strong> tags, which are inside <h2> tags, which are inside a <div>. I tried inserting <div onmouseover="alert(1)">hi</div> but it is just displaying normally, and when I inspect the text, I see that it is not being registered as HTML, it is just treated as a string.Adsorbate
E
6

You can use the onclick attribute that is presented in HTML elements so you can create something like this:

"The search term" <p> <a href="" onclick="alert('I excuted JavaScript!');">Click me to see the JavaScript work!</a> </p> "returned no results"

Now when clicking on the element the JavaScript will be executed.

Elliott answered 25/5, 2016 at 11:19 Comment(0)
P
1

Another one was mentioned at: https://mcmap.net/q/745168/-is-using-jquery-parsehtml-to-remove-script-tags-enough-to-prevent-xss-attacks

<a href="javascript:alert(1)">asdf</a>

Works on Chromium 81.

More important perhaps is the question of how to sanitize against it, see e.g.:

Plea answered 4/5, 2020 at 8:46 Comment(1)
any idea how to prevent such attack? HTML encoding is not helping, because it doesn't contain any html- any pointers?Altruism
C
0

If I not wrong, you ask about conducting an XSS attack without using script tag or html tag. In this case, and based on academic literature, I found the literature mentioned some potential ways for achieving that by exploiting the JavaScript files. 3rd party or external JavaScript files referenced by the web application for various functionalities, including user interactions, dynamic content, form validation. by compromising vulnerabilities within the application, the injected code can be executed whenever such files are fetched and loaded by the browser.

Consultation answered 27/6, 2023 at 12:25 Comment(1)
Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.Crankle
E
-1

If you have a filtre for "script" word, you can try this:

<sscriptcript>alert('XSS');</sscriptcript>

If you want to try your skill, on tryhackme you have a room for XSS.

Evansville answered 13/7, 2023 at 13:38 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.