Cross Site Scripting - Level 03 __ Frozen Flame

Everything Vulnerable
Everything Vulnerable
June 04, 2021

You can't end it !

Hello thirsty learners ! Welcome back again in the Cross Site Scripting attacking session. As you can see today's blog's heading is, " You can't CLOSE it. " Well, let's talk about the interesting thing about Cross Site Scripting. But, before we start, I want to say that, " I am trying to make a series of XSS . And, if you haven't read the previous blogs, may be you can't understand what I am doing here right now. So, please read the first 3 blogs ( level 0-2 ). And after that, come to this one. "

Well, in the level 1 blog, I have said that, " close it and then, exploit ". But, what if you can't close the tag? Have you thought about that ever ? Let's know more today. Well, in JavaScript, there is a thing called event handler. I am not going to describe the thing in details as there are some awesome sites to understand this things . But, if you want to learn about it, you may go through this blogs,

In short, the event handler, decides what is going to happen in a certain event. Such as, an user, submits a form and, you want to show an pop-up when he click the submit button. This thing is done by event handler. So, I will suggest you to read the following blogs I have already mentioned before in this blog. If you already know and, have gone through the blogs, you may have understood what an event handler is. So, let's proceed for further exploitation. 

Exploitation ::

Well, while I was doing the attack, I found my payload in a input tag's value. Just like this,

<input type="text" name="query" value="testingxss">

So, I tried to close the tag using "> but, the greater than sign was getting sanitized by the website like this,

<input type="text" name="query" value="testingxss""&gt;>

As we are noob, and, right now don't know about filter bypass by encoding the filtered characters . So, we can't bypass it though encoding. Or, we can?? Let's have a try at least. Look at the filtered strings again. " wasn't getting filtered. That means, we still have the chance to do some Cross Site Scripting attack successfully. But, as we can't create any tag, let's use event handler ( discussed at the first part of this blog ). 

List of some event handlers ::

  • FSCommand (attacker can use this when executed from within an embedded Flash object) 
  • onAbort (when user aborts the loading of an image) 
  • onActivate (when object is set as the active element) 
  • onAfterPrint (activates after user prints or previews print job) 
  • onAfterUpdate (activates on data object after updating data in the source object)
  • onBeforeActivate (fires before the object is set as the active element)
  • onBeforeCopy (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand("Copy") function) 
  • onBeforeCut (attacker executes the attack string right before a selection is cut) 
  • onBeforeDeactivate (fires right after the activeElement is changed from the current object) 
  • onBeforeEditFocus (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected) 
  • onBeforePaste (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function) 
  • onBeforePrint (user would need to be tricked into printing or attacker could use the print or execCommand("Print") function). 
  • onBeforeUnload (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent) 
  • onBeforeUpdate (activates on data object before updating data in the source object) 
  • onBegin (the onbegin event fires immediately when the element's timeline begins) 
  • onBlur (in the case where another popup is loaded and window looses focus) 
  • onBounce (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window) 
  • onCellChange (fires when data changes in the data provider) 
  • onChange (select, text, or TEXTAREA field loses focus and its value has been modified) 
  • onClick (someone clicks on a form) 
  • onContextMenu (user would need to right click on attack area) 
  • onControlSelect (fires when the user is about to make a control selection of the object) 
  • onCopy (user needs to copy something or it can be exploited using the execCommand("Copy") command) 
  • onCut (user needs to copy something or it can be exploited using the execCommand("Cut") command) 
  • onDataAvailable (user would need to change data in an element, or attacker could perform the same function) 
  • onDataSetChanged (fires when the data set exposed by a data source object changes) 
  • onDataSetComplete (fires to indicate that all data is available from the data source object) 
  • onDblClick (user double-clicks a form element or a link) 
  • onDeactivate (fires when the activeElement is changed from the current object to another object in the parent document) 
There are lots of event handlers in JavaScript. You need to choose the perfect one for a successful attack. Such as, you can't use onload incase of onsubmit or, onerror . So, you have to have a clear concept about the event handlers of JavaScript. You can check this for a better concept over event handlers. 

Ok. Let's come back to the exploitated site again. A part of our input was getting filtered ( > ) . 

<input type="text" name="query" value="testingxss""&gt;>

So, in this case, we will simply close the value attribute with this ( " ). After that, we will use our event handler. In this case, we can use onmouseover event handler. 
  • onmouseover (fires when user put his mouse on the particular text or, some random things. Such as, imgae , link etc.. )

How to use it ??

First we will close the value attribute with this ( " ). Then, I will create another attribute which will be named as our event handler ( onmouseover ). And then, we will set the attribute to, alert(1) . And, we are okay to launch.

Query ::

testingxss" onmouseover="alert(1)

We don't need to close the onmouseover attribute. As, there is an extra semicolon after our attribute. And, it will makd the query complete. So, our source code will look like this,

<input type="text" name="query" value="testingxss" onmouseover="alert(1)">

Now. Go to the main page and, put your mouse on the testingxss text. And, you will see a pop-up box. And, if you are an Android user just like me, touch on the text.

And, another successful attack. 👻

Everything Vulnerable