‘Try-Harder’ for XSS

Frans Hendrik Botes
May 16 · 4 min read

My Twitter handle: https://twitter.com/initroott

This would most definitely go out to my most tedious XSS attempts yet. I’ve started with Burp for a good enumeration. I set out my target scope using advance scope control and the host-name as “company.”.

I then browse the application slowly one for one, specifically I look for parameters that gets reflected. Once I suspect reflection I make use of the Intruder tab to Actively scan defined insertion points. Note that I also clear insertion points for cookies etc. I only focus on the URL parameters now.

Let the scanner do its job and keep fuzzing for insertion points.


Enumerating

It even summarizes the endpoints for you in a neat HTML.

Image from the git site.

Ultimately this lead to my endpoint which is vulnerable to XSS. At first I checked for reflection.

As you can note from the below image the TEST value is clearly being reflected. Further testing revealed that most of the parameters could be reflected.

Constructing XSS

{TAG}{EVENT}={PAYLOAD}

Please have a look at this great article as well https://0x00sec.org/t/fun-bypass-xss-detection-waf/12228.

You can play around adding fillers in-between in order to evade WAF or white/black listing. A short list of tags I’ve tried:

TAG

script
img
a
body
script 
html
meta
xml
object 
etc.. etc.. 

It didn’t look that I was getting anywhere. After a few hours, the only injection I could add with a good success rate is the svg and image tag. WAF clearly blocks img, however, image is not blocked. I could at-least inject images into the site, however, it is redirected almost immediately due to the form onload event.

I then continued playing with the svg tag.

EVENT

events on(load|click|error|show) 

all seem to be blocked. After “trying harder” I eventually found the OnAuxClick event is not blocked. A list of some events to try.

onclick
ondblclick
onmousedown
onmousemove
onmouseover
onmouseout
onmouseup
onkeydown
onkeypress
onkeyup
onabort
onerror
onload
onresize
onscroll
onunload
onsubmit
onblur
onchange
onfocus
onreset
onselect
onMoveOn
onauxclick
oncontextmenu
onmouseleave
ontouchcancel

The onauxclick is not nearly as sophisticated or practical for attacks than the other methods, however, works nonetheless. It basically triggers on any mouse buttons that is not primary buttons.

With a the TAG and EVENT set unblocked I proceeded to find some payload to execute.

Payload

write(1)
confirm(1)
alert(1)
prompt(1)Simple variation if () is blocked. Pay Attention now `` is just as effective.write`1`
confirm`1`
alert`1`
prompt`1`

Eventually I got the payloads working using `` instead of the traditional() approach.

The final payload I got working was:

gridview=%27&’/>%20<svg/onauxClick%3D”alert`HackerOne`”</svg>=’&asd
We can see the payload reflected correctly.

And the most important of all. Ultimately, this took me several hours in order to get it working, the WAF and filtering was very restrictive.

Timeline 17–05–19 Discovered bug, informed company on HackerOne