17

I am learning about XSS (for ethical purposes), and I was wondering how to execute some JavaScript code without using <script> tags. This is within the

HTML tag:

"The search term" <p> *JavaScript here* </p> "returned no results"

For some reason, the script tags are not working.

Improve this question
3
  • A short search on google will show you this: Cross-site Scripting (XSS), XSS Filter Evasion Cheat Sheet and excess-xss.com I guess this will be a good starting point. Commented May 25, 2016 at 11:01
  • Thank you for those links, but they don't contain the solution to this. I think it has to do with the double quotes around the strings "The search term" and "returned no results" , because in the absence of those quotes, the <script> tag works fine Commented May 25, 2016 at 11:03
  • I don't see any script tags here, nor example where you proof your statement (an example where js is executed and one where not), in which context your snipped is used/evaluated, ... . If this is plain html then the it does not matter if there are " around the text or not. Commented May 25, 2016 at 11:07

5 Answers 5

Reset to default
17
  1. Try putting in different types of strings with special characters and look if any of these get encoded or outputed. (I personaly use '';!--"<XSS>=&{()})
  2. Now you have three options:
    1. Inside a HTML Tag: The <> won't matter, because you are already inside a HTML Tag. You can look if this Tag supports Events and use some kind of onload=alert(1) or other event. If <> is allowed, you can break out and create your own tag '><img src=0 onerror=alert(1)>
    2. Outside of HTML Tag: the <> are important. With these you can open a new Tag and the whole world is below your feet (or so...)
    3. Inside Javascript: Well...if you can break out of a string with '", then you can basically write ';alert(1)
  3. Craft your XSS accordingly to your encoded characters and the surrounding of where the string get's outputed

<XSS> disappears entirely: the application uses some kind of strip_tags . If you are outside of a HTML Tag and no HTML Tags are whitelisted, I unfortunatly don't know any method to achieve an XSS.

Crafting your own payload

There are various methods to achieve this and too much to name them all. Look on these two sites, which have a lot of the methods and concept to construct your own. It comes down to: What the page allows to go through.

  1. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_Locator_.28short.29
  2. https://html5sec.org/
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

In the comments the OP said that those links don't answer the question. (html5sec was not on the list, but it contains the same/similar information)
@t.niese yeah...saw that later on, changed to answer to a simple howto. And no...html5sec provides much more different tags, because a lot of filters don't filter the new html5 tags.
Thank you for the detailed explanation. I tried your method (entering "'';!--"<XSS>=&{()})"), and all the characters are being displayed on the page, ie, none are filtered out. When I click "Inspect Element", I see that this text is being displayed within 2 <strong> tags, which are inside <h2> tags, which are inside a <div>. I tried inserting <div onmouseover="alert(1)">hi</div> but it is just displaying normally, and when I inspect the text, I see that it is not being registered as HTML, it is just treated as a string.
8

You can use the onclick attribute that is presented in HTML elements so you can create something like this:

"The search term" <p> <a href="" onclick="alert('I excuted JavaScript!');">Click me to see the JavaScript work!</a> </p> "returned no results"

Now when clicking on the element the JavaScript will be executed.

Improve this answer

Comments

1

Another one was mentioned at: https://stackoverflow.com/a/53430230/895245

<a href="javascript:alert(1)">asdf</a>

Works on Chromium 81.

More important perhaps is the question of how to sanitize against it, see e.g.:

Improve this answer

1 Comment

any idea how to prevent such attack? HTML encoding is not helping, because it doesn't contain any html- any pointers?
0

If I not wrong, you ask about conducting an XSS attack without using script tag or html tag. In this case, and based on academic literature, I found the literature mentioned some potential ways for achieving that by exploiting the JavaScript files. 3rd party or external JavaScript files referenced by the web application for various functionalities, including user interactions, dynamic content, form validation. by compromising vulnerabilities within the application, the injected code can be executed whenever such files are fetched and loaded by the browser.

Improve this answer

1 Comment

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
-1

If you have a filtre for "script" word, you can try this:

<sscriptcript>alert('XSS');</sscriptcript>

If you want to try your skill, on tryhackme you have a room for XSS.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.