Reputation: 341
Execute JavaScript for XSS without script tags
I am learning about XSS (for ethical purposes), and I was wondering how to execute some JavaScript code without using <script> tags. This is within the
HTML tag:
"The search term" <p> *JavaScript here* </p> "returned no results"
For some reason, the script tags are not working.
Upvotes: 17
Views: 67575
Answers (5)
Reputation: 1
If you have a filtre for "script" word, you can try this:
<sscriptcript>alert('XSS');</sscriptcript>
If you want to try your skill, on tryhackme you have a room for XSS.
Upvotes: -1
Reputation: 1
If I not wrong, you ask about conducting an XSS attack without using script tag or html tag. In this case, and based on academic literature, I found the literature mentioned some potential ways for achieving that by exploiting the JavaScript files. 3rd party or external JavaScript files referenced by the web application for various functionalities, including user interactions, dynamic content, form validation. by compromising vulnerabilities within the application, the injected code can be executed whenever such files are fetched and loaded by the browser.
Upvotes: 0
Reputation: 382532
Another one was mentioned at: https://stackoverflow.com/a/53430230/895245
<a href="javascript:alert(1)">asdf</a>
Works on Chromium 81.
More important perhaps is the question of how to sanitize against it, see e.g.:
- How to prevent XSS with HTML/PHP?
- How to sanitize HTML code in Java to prevent XSS attacks?
- Is using jquery parseHTML to remove script tags enough to prevent XSS attacks?
Upvotes: 1
Reputation: 498
- Try putting in different types of strings with special characters and look if any of these get encoded or outputed. (I personaly use
'';!--"<XSS>=&{()}) - Now you have three options:
- Inside a HTML Tag: The
<>won't matter, because you are already inside a HTML Tag. You can look if this Tag supports Events and use some kind ofonload=alert(1)or other event. If<>is allowed, you can break out and create your own tag'><img src=0 onerror=alert(1)> - Outside of HTML Tag: the
<>are important. With these you can open a new Tag and the whole world is below your feet (or so...) - Inside Javascript: Well...if you can break out of a string with
'", then you can basically write';alert(1)
- Inside a HTML Tag: The
- Craft your XSS accordingly to your encoded characters and the surrounding of where the string get's outputed
<XSS> disappears entirely: the application uses some kind of strip_tags . If you are outside of a HTML Tag and no HTML Tags are whitelisted, I unfortunatly don't know any method to achieve an XSS.
Crafting your own payload
There are various methods to achieve this and too much to name them all. Look on these two sites, which have a lot of the methods and concept to construct your own. It comes down to: What the page allows to go through.
- https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_Locator_.28short.29
- https://html5sec.org/
Upvotes: 17
Reputation: 6723
You can use the onclick attribute that is presented in HTML elements so you can create something like this:
"The search term" <p> <a href="" onclick="alert('I excuted JavaScript!');">Click me to see the JavaScript work!</a> </p> "returned no results"
Now when clicking on the element the JavaScript will be executed.
Upvotes: 8
Related Questions
- Loop (for each) over an array in JavaScript
- Which "href" value should I use for JavaScript links, "#" or "javascript:void(0)"?
- Where should I put <script> tags in HTML markup?
- How do I check for an empty/undefined/null string in JavaScript?
- What is JSONP, and why was it created?
- How do I test for an empty JavaScript object?
- Set a default parameter value for a JavaScript function
- What is the explanation for these bizarre JavaScript behaviours mentioned in the 'Wat' talk for CodeMash 2012?