SECURITY GEEK

Random ramblings in Infosec

Solutions for XSS Challenge – Sh*t it’s a WAF

A month ago i made an XSS challenge called Sh*t it’s a WAF. The idea of the challenge was to bypass the WAF filters and inject an XSS payload that execute alert(1337) . The challenge was a bit tricky but not hard. So let’s first explain how the WAF was working and how it could be bypassed.

How the WAF works ?

The challenge has 3 vulnerable input tags at the value attributes (Address1, Address2, Zip).
Double quotes weren’t filtered so the value attribute quotes can be closed and the input tag can be closed using ‘>’ but you can’t open a new HTML tag using ‘<‘ character as it was getting removed. So the only possible way is to use the event handlers to execute JavaScript, The problem that all event handlers were getting blocked by the WAF.  However there was a weakness in the WAF that it only blocks your payload if it exceeded 10 characters.

So using a payload like “onfocus= will get accepted and reflected in the response because it’s length is only 9 characters

onfocus

But using a payload like “onfocus=alert(1) will be rejected and blocked by the WAF beause it’s length is 17 characters.

onfocus-rejected

How to Bypass the WAF and execute Javascript ?

To bypass the WAF, we have to bypass the 10 characters length limitation.  This can be done using a simple trick by splitting the XSS payload over the 3 affected input tags in the page. So in first vulnerable input tag you can use the shortest event handler which is oncut and use payload like “oncut=’/* which is exactly 10 characters and in the second vulnerable input tag you can continue the rest of the payload and close the multi line comment */alert(1337)’ as the following.

oncut-xss

 

The payload will look like the following . The “Address Line 1” and “Address Line 2” will act as it was only one input tag

oncut-xss3

Now if you write anything inside “Address Line 1” field then you cut it using “CTRL + X” , The XSS will be fired.

oncut-xss2

This solved the challenge but unfortunately it requires a lot of interaction from the user and it’s hard to exploit it in real world

Now let’s dive into more cool solutions for the challenge, i will start with my own solution :)

My Solution:

I’ve solved the challenge with a similar technique but using a different event handler which is onblur , it’s longer than oncut by  one character . so using “onblur=’/* will be 11 character and unfortunately it will get blocked by the WAF.  So the problem now i need one character to just comment inside the JavaScript to make my payload length is 10 instead of 11, so is that possible ?

Luckily Yes! it’s possible and thanks goes to ES6 (ECMAScript), it provides us with the template strings (accent grave) which are enclosed by the back-ticks  . One of the functions of template strings in ES6 is to make a multi line strings . so doing something like

Will appear as two lines with a line break.

template-string

So i used the template strings to make the multi line comment inside the javascript using one single character.

Here is the final payload I’ve used to solve the challenge:
https://gist.github.com/aboul3la/94ca39e86f4e7d47682d

Solution was simply to use onblur event handler along with autofocus as following

Address Line 1:

Address Line 2:

Zip Code:

You can try the solution POC from the following URL:  http://www.secgeek.net/POC/XSS-Challenge-POC.html

The XSS payload will fire when you press a left click with the mouse anywhere inside the page or when you press with the mouse outside the browser window, like on the start menu or the taskbar.

XSS-Solution

Much better, right :) ? But it’s still need a mild interaction from the user.

Now let’s shed the light on some of the coolest solutions I’ve received that requires zero user interaction.

Cool Solutions with no user interaction

I’ve received 2 solutions for the challenge that require no user interaction.

First one by Masato Kinugawa and the second one by Mario Heiderich and File Descriptor.

[-] Masato Kinugawa Solution – Chrome , No user interaction

The Solution:

Masato solved the challenge with a creative payload that use onblur and autofocus with an extra trick , he use window.open to open the challenge page in a new window then he redirect the location of the window to http://xss-challenge.secgeek.net/#sbtn after 2 seconds which makes the address1 field lose it’s focus and the onblur event gets executed without any user interaction!

 Amazing one! :)

[-] Mario Heiderich and File Descriptor – Edge , No user interaction

The Solution:

Here are Mairo And File Descriptor came with an amazing solution for the challenge , they used XSS vector that works without any user interaction in Edge. They use onblur event handler with autofocus chained with a cool trick using id=x contenteditable inside the zip tag, then simply they request the #x  in the URL which makes the address field lose it’s focus and the onblur event gets executed.

Really Awesome! :D

The Challenge in Real World

Acutally I found the same challenge in Tesla Motors bug bounty program. I found that the user profile page in my.teslamotors.com domain has 3 vulnerable fields to XSS.

TeslaMotors

At first I was surprised that a direct XSS vulnerability exists in such critical area and no one had reported it! , but when I tried to exploit it, i knew the reason and saw the crazy WAF that blocks all the event handlers. So I enjoyed playing with the WAF and I managed to bypass it as explained in this article, then I reported the XSS vulnerability and the WAF weakness to Tesla Security Team. They have fixed the vulnerability and rewarded me with very nice bounty :D

Here is a little video demonstration for the vulnerability

Thanks and I hope you enjoyed the challenge :)

One Comment

Post a comment

  • Human Verification*:
  •