Sunday, December 13, 2015

No Quotes At All

In this post, I will describe a rare variation of common reflection points. We all know and have seen reflection in JavaScript string literal case and <input> tag's having type attribute set to hidden i.e.,

<script>
var any-variable-name="reflection here"; // double quoted case
var any-variable-name='reflection here'; // single quoted case
</script> 

and

<input type="hidden" value="reflection here"> // double quoted case
<input type='hidden' value='reflection here'// single quoted case

In the wild, developers either use single (') or double (") quote for JavaScript string literals and the same holds true for <input> tag. But how often you see a reflection without any quotes at all in the wild (though as per W3C specification it is allowed)? I mean something like that ...

<script>
var any-variable-name=reflection here; // no quotes at all
</script>

and

<input type=hidden value=reflection here// no quotes at all


I think it is a needle in a haystack. I found real examples (one I am sharing here and one I can't) of such reflection without any quotes so I thought it would be interesting to share. Please open the following URL (GET parameter rp holds our harmless XSS probe string "xxxxxxxx'yyyyy</img). The site NEWS.CN has an Alexa rank of 3573 at the time of writing.


The screen-shot shows the reflection of our interest. In the screen-shot you can see the probe string ("xxxxxxxx'yyyyy</img) reflects back as a part of rp JavaScript variable and the developers're not using any quotes. 


So how to XSS this case? It would be very simple. The proof of concept XSS payloads like confirm(1), alert(1) and prompt(1) etc simply works. The URL at the time of XSS looks like the following and the screen-shot is also given.



The same page has another reflection (without quotes) as a part of <input> tag's hidden value and it is shown in the following screen-shot.


It can be easily XSSed and there are many ways. The URL at the time of XSS looks like the following and the screen-shot is also given. The XSS payload starts with a space character (i.e., %20). Why? I leave this up to you to figure out. It's easy.



5 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. What's interesting in this?
    Developer must be expecting an interger number that's why he didn't enclosed your input in quotes :p

    ReplyDelete
  3. Good to see that you (Rakesh) have identified the real reason. The developer was really expecting an integer but you know ... Never ever trust user-input :)

    ReplyDelete
  4. i was just fascinated your way of explaining the XSS, even for beginners also can easily understand. Can you please post sources of blogs like this so that it will be very help full to beginners to start on XSS.

    ReplyDelete

Note: Only a member of this blog may post a comment.