Technical Analysis of "XSS without parentheses and semi-colons"
Overview:
PortSwigger's blog post explores innovative cross-site scripting (XSS) attack techniques that do not rely on typical JavaScript syntax elements like parentheses () and semi-colons ;. This research shifts the paradigm of XSS payload construction, aiming to evade modern security filters and Content Security Policies (CSP) that often detect malicious scripts based on common syntax patterns.
Key Technical Details:
- Context:
- Bypassing Filters: Traditional XSS payload construction heavily relies on
()for function calls and;to terminate statements. Security mechanisms often detect and block such patterns. The research demonstrates alternative methods that can elude these restrictions by eliminating these characters. -
Modern Application: The techniques discussed are crucial for targeting CSP-protected applications or sophisticated web application firewalls (WAFs) that default to blocking payloads containing typical JavaScript syntax.
-
Constructing Payloads Without
()and;: -
Inline Event Handlers: The blog explores using inline event handlers (e.g.,
onerror,onload) to execute JavaScript without needing()or;. This works because the handler functions invoke the code directly.html <img src="x" onerror="alert`XSS`"> -
Template Literals and Tagged Templates:
- Templates: Template literals (e.g., using backticks
`) allow multi-line strings and embedded expressions. This property can be harnessed to craft payloads that execute code without typical syntax markers. - Tagged Templates: More advanced usage includes tagged templates:
javascript alert`${location}`
- Templates: Template literals (e.g., using backticks
-
Global Object Methods:
- Global Object Aliases: JavaScript exposes global objects (e.g.,
window,document) whose methods can be invoked without direct function calls. For example:html <img src=1 onerror=location=`javas`+`cript:alert\`XSS\``
- Global Object Aliases: JavaScript exposes global objects (e.g.,
-
Property Injection:
- Object Properties: Accessing object properties using square brackets
[]sidesteps the need for parentheses:javascript window[`alert`]?.(`XSS`)
- Object Properties: Accessing object properties using square brackets
-
Surviving Content Security Policy (CSP):
-
CSP Bypass: The payloads are designed to work under restrictive CSPs by avoiding inline
eval()orscript-srcrules, typically enforced to mitigate XSS. The use of event attributes and external scripts in creative way help bypass CSP policy restrictions. -
Practical Examples:
-
Image Tag Exploit: Using the
onerrorattribute on an image tag provides a straightforward method to trigger payload execution:html <img src="nonexistent.jpg" onerror="console.log`XSS Detected`"> -
Document Location: Utilizing document location manipulation to create a script URI which doesn't require
(or):html <iframe src='javascript:alert`test`'></iframe>
Key Takeaways:
- Advanced XSS Payloads:
- Leveraging template literals and object property access can create viable XSS payloads without relying on
()or;. -
Utilizing inline event handlers and global object methods aids in avoiding traditional syntactical restrictions.
-
Evasion Techniques:
- These methods effectively circumvent modern server-side and client-side security controls, such as WAFs and CSPs that assume attacks rely on specific JavaScript syntax.
-
These payload constructs highlight the necessity for enhanced and updated security mechanisms to detect and mitigate newer attack vectors.
-
Practical Usage:
- The given payloads are easily adaptable to a variety of contexts where traditional payloads might fail. They are effective in scenarios where applications employ rigorous input sanitization techniques specifically tuned to block common JavaScript function calls and syntax markers.
Conclusion:
PortSwigger’s analysis is a critical reminder that XSS attacks are evolving and that relying solely on traditional syntax detection is no longer sufficient. As attackers develop more sophisticated methods, defensive measures must also advance, incorporating a broader understanding of JavaScript interpreters and novel attack techniques. Effective defense now requires a deeper examination of how scripts are constructed and executed in browsers, beyond superficial syntax checks.
For full details, refer to the original blog post here.