XSS Bypass Challenge – 2 [Solutions]

Hello

As you know, XSS Bypass Challenges usually depends on knowledge of JavaScript, a good analysis on behavior of the web application and creativity. As in all my other challenges, that one was simulation of real life example that i experienced during penetration test, as well. We will have a look source code to understand what developer tried to fix XSS vulnerability and what he/she missed.

If you didn’t tried to bypass the Challenge yet. Please try yourself with it which you can reach directly via http://lab.mehmetince.net/h4ckm3/xss-2/index.php then you can come back here and continue to read rest part of the post.

First Thing First

I want to share names and their payloads who successfully bypassed Challenge.

@0x90kh4n

@y_arabaci

@prakharprased

@ysr08

@SammyKalintosh

Source Code

As you can see, there is something wrong with PHP part of the source code. First thing that I want to mention about addslashes() . This function convert each single quote to backslash + single quote which is beginning part of prevent inline-javascript XSS vulnerability.

Secondarily, the point that I want to emphasise will be about black listing specific HTML tags. If you -really- want to detect HTML tag from inside of the user user inputs, you have to be careful. In this example, most common html tags removed from user input via str_replace .  In order to bypass that security concept of PHP codes, we will focus on usage of str_replace. Please read following codes to understand payload.

Results

To be honest, i like @0x90kh4n and @prakharprased solutions. Actually i used exactly the same payload with 0x90kh4n.

As you figure out, first step ile ending javascript tag with </scscriptript> and reopen it via <scscriptript>. After that call your remote JS file which it contains alert(document.cookie) method. And close your javascript tag with </scriscriptpt>. That’s all

In conclusion, I will prepare and post online new challenges which i experienced on during penetration test, again! Besides, next challenge will be about SQL Injection.