‘Try-Harder’ for XSS
My Twitter handle: https://twitter.com/initroott
This would most definitely go out to my most tedious XSS attempts yet. I’ve started with Burp for a good enumeration. I set out my target scope using advance scope control and the host-name as “company.”.
I then browse the application slowly one for one, specifically I look for parameters that get reflected. Once I suspect reflection I make use of the Intruder tab to Actively scan defined insertion points. Note that I also clear insertion points for cookies etc. I only focus on the URL parameters now.
Let the scanner do its job and keep fuzzing for insertion points.
For this specific XSS I found my endpoint by browsing links in the JS files. The Linkfinder tool (https://github.com/GerbenJavado/LinkFinder) is brilliant.
It even summarizes the endpoints for you in a neat HTML.
Ultimately this leads to my endpoint which is vulnerable to XSS. At first, I checked for reflection. As you can note from the below image the TEST value is clearly being reflected. Further testing revealed that most of the parameters could be reflected.
I then broke out of the value and tried several injections, of which none worked. Based on several hours the following were all blocked. I tried several variations of tags and fillers. Let’s look at a very common XSS design.
Please have a look at this great article as well as https://0x00sec.org/t/fun-bypass-xss-detection-waf/12228.
You can play around adding fillers in-between in order to evade WAF or white/blacklisting. A shortlist of tags I’ve tried:
script img a body script html meta xml object etc.. etc..
It didn’t look that I was getting anywhere. After a few hours, the only injection I could add with a good success rate is the svg and image tag. WAF clearly blocks img, however, image is not blocked. I could at-least inject images into the site, however, it is redirected almost immediately due to the form onload event.
I then continued playing with the svg tag.
I was now struggling to find an event handler that is not blocked. The classic
all seem to be blocked. After “trying harder” I eventually found the OnAuxClick event is not blocked. A list of some events to try.
onclick ondblclick onmousedown onmousemove onmouseover onmouseout onmouseup onkeydown onkeypress onkeyup onabort onerror onload onresize onscroll onunload onsubmit onblur onchange onfocus onreset onselect onMoveOn onauxclick oncontextmenu onmouseleave ontouchcancel
The onauxclick is not nearly as sophisticated or practical for attacks than the other methods, however, works nonetheless. It basically triggers on any mouse buttons that are not primary buttons.
With the TAG and EVENT set unblocked I proceeded to find some payload to execute.
I’m not covering what is executable and what is, but it seemed my best bet was to run directly executable from the Alert, Prompt commands. Some examples of payloads.
write(1) confirm(1) alert(1) prompt(1) Simple variation if () is blocked. Pay Attention now `` is just as effective. write`1` confirm`1` alert`1` prompt`1`
Eventually, I got the payloads working using “ instead of the traditional() approach.
The final payload I got working was:
And the most important of all. Ultimately, this took me several hours in order to get it working, the WAF and filtering were very restrictive.
17–05–19 Discovered bug, informed company on HackerOne