‘Try-Harder’ for XSS

May 2019 (464 Words, 3 Minutes)

‘Try-Harder’ for XSS

My Twitter handle: https://twitter.com/initroott

This would most definitely go out to my most tedious XSS attempts yet. I’ve started with Burp for a good enumeration. I set out my target scope using advance scope control and the host-name as “company.”.

I then browse the application slowly one for one, specifically I look for parameters that gets reflected. Once I suspect reflection I make use of the Intruder tab to Actively scan defined insertion points. Note that I also clear insertion points for cookies etc. I only focus on the URL parameters now.

Let the scanner do its job and keep fuzzing for insertion points.

Enumerating

For this specific XSS I found my endpoint by browsing links in the JS files. The Linkfinder tool (https://github.com/GerbenJavado/LinkFinder) is brilliant.

It even summarizes the endpoints for you in a neat HTML.

Ultimately this lead to my endpoint which is vulnerable to XSS. At first I checked for reflection.

As you can note from the below image the TEST value is clearly being reflected. Further testing revealed that most of the parameters could be reflected.

Constructing XSS

I then broke out of the value and tried several injections, of which none worked. Based on several hours the following were all blocked. I tried several variations of tags and fillers. Lets look at a very common XSS design.

{TAG}{EVENT}={PAYLOAD}

Please have a look at this great article as well https://0x00sec.org/t/fun-bypass-xss-detection-waf/12228.

You can play around adding fillers in-between in order to evade WAF or white/black listing. A short list of tags I’ve tried:

TAG

script
img
a
body
script 
html
meta
xml
object 
etc.. etc.. 

It didn’t look that I was getting anywhere. After a few hours, the only injection I could add with a good success rate is the svg and image tag. WAF clearly blocks img, however, image is not blocked. I could at-least inject images into the site, however, it is redirected almost immediately due to the form onload event.

I then continued playing with the svg tag.

EVENT

I was now struggling to find an event handler that is not blocked. The classic

events on(load|click|error|show) 

all seem to be blocked. After “trying harder” I eventually found the OnAuxClick event is not blocked. A list of some events to try.

onclick
ondblclick
onmousedown
onmousemove
onmouseover
onmouseout
onmouseup
onkeydown
onkeypress
onkeyup
onabort
onerror
onload
onresize
onscroll
onunload
onsubmit
onblur
onchange
onfocus
onreset
onselect
onMoveOn
onauxclick
oncontextmenu
onmouseleave
ontouchcancel

The onauxclick is not nearly as sophisticated or practical for attacks than the other methods, however, works nonetheless. It basically triggers on any mouse buttons that is not primary buttons.

With a the TAG and EVENT set unblocked I proceeded to find some payload to execute.

Payload

I’m not covering what is executable and what is, but it seemed my best bet was to run directly executable from the Alert, Prompt commands. Some examples of payloads.

write(1)
confirm(1)
alert(1)
prompt(1)

Simple variation if () is blocked. Pay Attention now `` is just as effective.

write`1`
confirm`1`
alert`1`
prompt`1`

Eventually I got the payloads working using `` instead of the traditional() approach.

The final payload I got working was:

gridview=%27&’/>%20<svg/onauxClick%3D”alert`HackerOne`”</svg>=’&asd

And the most important of all. Ultimately, this took me several hours in order to get it working, the WAF and filtering was very restrictive.

Timeline 17–05–19 Discovered bug, informed company on HackerOne