[DOM based XSS] Or why you should not rely on Cloudflare too much

KatsuragiCSL
Nov 14, 2018 · 3 min read

Foreword

So I found another XSS in a bug bounty program again. The website [redacted.com] is protected by Cloudflare WAF and hence many payloads are filtered. But the website is implemented in an extremely bad way that even Cloudflare can’t protect it.

Just a few days before the day I found this bug, I was telling my colleagues “don’t rely on firewalls / security products too much” during an internal presentation. Now I have a real example to talk about. LOL.

Summary

When I triggered an error on the login page, a parameter called Message is reflected in the body of the html AND a pop-up box (i.e. the value of “Message” is inserted in javascript, right inside alert(“[value_here]”)) without filtering. So I was able to insert anything I like in the script.

Payload:

This is an outdated page. You will now be redirected to our new page"); window.location="https://google.com"//
Image for post
Image for post

So we can spoof the users that they are going to an updated webpage and login again. (Redirecting to google for demonstration here)

How did I find it

In fact I was checking their register and sign in function and attempting to find some application flaws. I registered an account using email a@a.com without verifying it and tried to signup with the same email again. Then an error message is popped up:

Image for post
Image for post

And I found that the URL became

https://redacted.com/Secure/Login.aspx?UserID=a@a.com&ReturnUrl=&Message=The E-Mail Address entered (a@a.com) is already on file. If this is your correct e-mail address, you may sign in as an existing customer.

Exactly the same of that in the pop-up box and the text shown on the top:

Image for post
Image for post

So the message maybe reflected in the body of the HTML. I tried the straight forward <script>alert(1)</script> payload.

Then I got this:

Image for post
Image for post

Oops. Cloudflare. But that was in my expectation 🙂 . The payload is for dummies.

I noticed that the message is inserted in javascript directly:

So what we can do is closing the double quote and the parentheses like

alert("something_here");evil_script_here// ")

Then we can do anything we want.

Good firewalls can’t save bad code. That’s it. Thanks for reading.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

KatsuragiCSL

Written by

A security enthusiast. @ZuuitterE

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

KatsuragiCSL

Written by

A security enthusiast. @ZuuitterE

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store