This is an experiment I have done recently in order to identify and utilize attribute separators in constructing XSS vectors. The crafted vectors can be used in bypassing XSS filters on modern browsers. These characters can be used in bypassing WAF XSS filters.
BackgroundAn example for a common XSS vector is:
< img src = x onerror = alert(1) >
We will be using this vector as a baseline for the demonstration in this experiment.
An image is requested at ` ./x `. If the image does not exist or invalid, the javascript event handler executes the JavaScript code as instructed. The space ““ value is what is separating the attributes.
A typical XSS regular expression that blocks this example vector checks for whitespaces.
This can be bypassed via the exact vector by using the slash “ / ” character as an attribute separator (a well-known payload):
<img/src="x"/onerror=alert(1)>
Fuzzing for Valid Attributes Separators in Modern BrowsersHTML is a very flexible language. Browser engines render contents in numerous structures. I have written a simple fuzzing script in JavaScript that renders all Unicode values as attribute separators in a browser.
Results1. Carriage-Return ( 0x0D )
2. Line-Feed ( 0x0A )
3. Horizontal Tab ( 0x09 )
4. Form-Feed ( 0x0C )
In addition to the previously known characters: Space ( 0x20 ) and Slash ( 0x2F ) characters.
Notes on Bypassing WAFs Using Identified Attributes SeparatorsIn general, WAF rule sets are strict on blocking certain inputs. By utilizing odd attribute separators, it’s possible to bypass weakly written WAF rules. This is an aid to construct a valid XSS vector; I do not expect it’s a vanilla < img ( attribute-separator ) src = x(attribute-separator)onerror=alert(1) > would be a straight payload that bypasses a WAF rule set directly. Instead, tweaking the payload can increase the potentials in writing a valid vector that bypass the WAF XSS filters.
Furthermore, I have demonstrated a number of payloads previously that utilizes attribute separators implicitly to bypass XSS filters of popular WAFs. You can read about my previous research at [Link].The techniques were tested against Mod-Security CRS. The default installation blocks almost all variants; raising the Paranoia Level to 2 protects from the remaining payloads.
I would like to thank Dr. Christian Folini for testing it against ModSecurity CRS.
What to Do?Penetration Testers
These characters can be used to craft better payloads to fuzz WAF XSS filters. Feel free to use them on your next WAF assessment.
Defenders
Consider different HTML attribute separators when constructing filters. It can be used to bypass rulesets.
-- I perform freelancing penetration testing services, mainly focusing on web-application and infrastructure security. Feel free tocontact me for a quote.