Hacking Tutorials XSS

Reflected XSS on JSON, AJAX, XML based web apps

Welcome back my fellow XSSers. Today we will perform XSS on JSON, AJAX and XML based applications. But before we start injecting payloads lets take a quick view of XML, JSON and AJAX.

XML

eXtensible Markup Language (XML) is used to keep data in some other file (.xml file) instead the HTML webpage itself.

JSON

JavaScript Object Notation (JSON) is used to organize input submitted by a user and to transmit data between a server and a web application.

AJAX

Asynchronous JavaScript And XML (AJAX) is basically a technology which allows a webpage to send and receive data without reloading the page.

Cross Site Scripting in JSON

json xss preventation

This is a webpage which uses JSON. How do I know? Well its source code clearly says that:

XSS on JSON payload
So HTML takes input from the search box and then a JSON scripts gets executed which processes the input.
This line of code is our area of interest because this line fetches input from the HTML.

var JSONResponseString = '{"movies":[{"response":"HINT: our master really loves Marvel movies "}]}';

Take a look at the red characters I have marked. They represent arrays which are used to arrange data.
Our input goes straight to these arrays. Moreover, all this process is happening inside a <script> tag.

So there can be 3 (or more) different payloads:

"}]}';</script><script>alert('You got XSSed')</script>

It closes the arrays using “}]}’; and closes the <script> using </script>. After that it executes our script.

</script><script>alert('You got XSSed')</script>

it just closes the <script> tag and executes our script.

"}]}';alert('You got XSSed')</script>

This one really cool. It just closes the arrays and injects our script without using any <script> tag to start the script because we are already inside a <script> so we don’t need to start it 😉
All these three payloads will give the same result
json based xss payload
So we just played with arrays and closed tags to get our desired result.

Cross Site Scripting in AJAX

Well web pages that use AJAX are a little different because they will show the search results as you type your query in the search box without reloading the page.

reflected xss on ajax

As you can see, I entered the word “input” and it got reflected i.e. displayed. AJAX is being used in here so the results are displayed without reloading the page. Well the quickest way to check for XSS in AJAX based web apps is to try to render the content with tags like <s> strike through, <b> bold, <i> italic etc. So I will be doing the same.

Damn! It worked! Now lets the following string

<s>This</s> <b>is</b> <i>vulnerable<i> <u>to</u> <font color=red>XSS</font>

xss payload for ajax
Huh? we can render the output in any way we want to.
Now I will <b> bold tag to generate a link that points to teamultimate.in as follows

<b href=teamultimate.in>Click here to win prizes</b>

cross site scripting ajax

And we got the desired input. Similarly we can run our other malicious scripts too.

Cross Site Scripting in XML

Now we have another page which uses XML instead of JSON. Take a look at the output of our innocent query

xml xss payload

It shows some kind of error. Its because XML can’t parse characters like < or ” directly. We have to use HTML escape characters or HTML Special Entities. I have summed up the most important ones here

" can be written as &quot;
< can be written as &lt;
> can be written as &gt;

/ ‘ = \ are rendered as they are.
I will be using this script against this form:

<img src=# onerror=alert(1)>

<img> tag is used to add a image to a webpage but we have used # as the source of the image which will give an error. Then I have added onerror=alert(1), which speaks itself that it will raise an error box if an error is found.

Now lets use our HTML’s special characters instead of the regular ones (< ” >) so that the XML can parse our script.

&lt;img src=# onerror=alert(1)&gt;

I haven’t changed anything much, just changed > < and ” with their HTML special entity. Now the XML should be able to parse script and hence the webpage might execute.

xml xss payload bypass

It worked perfectly.

That’s all folks. Keep learning Keep XSSing.

Also Read: Persistent, Reflected, DOM-based and Self XSS attacks


Tags

About the author

D3V

I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

1 Comment

Click here to post a comment

Browse Categories:

Subscribe Now

Get the latest post directly into your inbox.

Thank you for subscribing.

Something went wrong.