All geek questions in one place

Alternative for defining inline javascript expressions

I am studying web application security penetration testing. The scenario is that in a test environment, a demo web application designed for practice, there is a vulnerability in cross-site scripting. I have an xss payload that is based on javascript:

<div style="width: expression(alert(/XSS/))"></div>

I know that expressions are not recommended with IE 8. It works fine in IE7. So, when I introduced the above payload, the web application returns with

 <div></div>

Resets all other attributes and values. But when I change the payload like

 <div style="width: expression'(alert(/XSS/))'">

An invalid payload means that it will not be executed. So, I am trying to find out if there is an alternative for defining an expression in a style attribute in a string, for example, if we can place something other than single_quote that does not break the code. Or, if there is any other way to execute javascript through a style attribute.

+6
source share
1 answer

expression() is the only way to dynamically specify html node attributes. It takes any valid JScript expression as an argument. So technically there is no way to execute javascript through the style attribute on the html node (JScript! == javascript).

The reason this feature does not exist (or is deprecated) is because it creates a rather large security vulnerability. If you want to have dynamic html elements, you can solve this with css, in particular through multimedia queries . But if you want to go this route, try checking the expression() documentation.

In javascript (JScript also), () calls a function. So, tossing ' or " after the name of an expression before calling it is not valid syntax. Perhaps you can add something else besides "single_quote" which will not break the code, but you will not put it before () . Try to find the JScript syntax. Here is one last resource that might help.

+3
source

Source: https://habr.com/ru/post/980152/

More articles:


All Articles