#Learn365 - Day 1β£ 6β£
Can write single Exploit payload which can exploit both HTML and JS injection in this ?
Yes we can, they are POLYGLOT payloads.
A context sensitive injection payloads, a thread. π§΅π
#infosec #appsec #bugbountytips #security
Can write single Exploit payload which can exploit both HTML and JS injection in this ?
Yes we can, they are POLYGLOT payloads.
A context sensitive injection payloads, a thread. π§΅π
#infosec #appsec #bugbountytips #security
Polyglot payloads capable of executing in multiple contexts.
A simple Example:
Input is flowing through HTML and JavaScript contenxt both and HTML is executed first then JS.
If you design the payload with JS context, HTML parse would fail, and XSS wont execute.
A simple Example:
Input is flowing through HTML and JavaScript contenxt both and HTML is executed first then JS.
If you design the payload with JS context, HTML parse would fail, and XSS wont execute.
Which means you have to design your payload which can pass both the contexts and still execute.
In above case there are two contexts,
HTML
&
JS
First HTML context is executed.
Lets take a look at the payload now.
In above case there are two contexts,
HTML
&
JS
First HTML context is executed.
Lets take a look at the payload now.
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
Complicated ?
Not really.
Lemme disect that for you in the next one.
Complicated ?
Not really.
Lemme disect that for you in the next one.
1. jaVasCript: - is URL scheme in HTML and label in JS
2. /*-/*`/*\`/*'/*"/**/ - Multi line comment in JS and literal in HTML
3. "/* */oNcliCk=alert() ) - execution in JS
4. //%0D%0A%0d%0a// - comment in JS, and CRLF in HTTP response header
2. /*-/*`/*\`/*'/*"/**/ - Multi line comment in JS and literal in HTML
3. "/* */oNcliCk=alert() ) - execution in JS
4. //%0D%0A%0d%0a// - comment in JS, and CRLF in HTTP response header
5. </stYle/</titLe/</teXtarEa/</scRipt/--!> - HTML tag breaking seq
6. \x3csVg/<sVg/oNloAd=alert()//>\x3e" - SVG element in HTML
6. \x3csVg/<sVg/oNloAd=alert()//>\x3e" - SVG element in HTML
HTML context would look like the one in below image.
MAKING HTML HAPPY.
MAKING HTML HAPPY.
JS context would look like.
MAKING JS HAPPY.
In the end, making both of them happy.
MAKING JS HAPPY.
In the end, making both of them happy.
This is just one single example of multi context single paylaod. There could be lot of other cases as well.
@0xSobky has perfectly jot that down in his blog on polyglots : github.com/0xsobky/HackVaβ¦
@0xSobky has perfectly jot that down in his blog on polyglots : github.com/0xsobky/HackVaβ¦
If you like the thread, consider retweeting it out :)
Also I am running #Learn365 to share security bits, if you want to stay updated, consider following @sec_r0
I soon may be landing a zine on Polyglots on SecurityZines, so stay tuned at getrevue.co/profile/securiβ¦
Also I am running #Learn365 to share security bits, if you want to stay updated, consider following @sec_r0
I soon may be landing a zine on Polyglots on SecurityZines, so stay tuned at getrevue.co/profile/securiβ¦
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
