From parameter pollution to XSS

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 22 hours ago · vulnerability
quality 7/10 · good
0 net
AI Summary

The author discovered an XSS vulnerability by bypassing a whitelist-protected redirect parameter through HTTP parameter pollution, combining javascript:// scheme manipulation with multiple 'dest' parameters to execute arbitrary JavaScript code.

Tags
xss parameter-pollution http-parameter-pollution bypass javascript-scheme redirect whitelist-bypass web-vulnerability
Entities
Mo'men Basel
from parameter pollution to XSS | by Mo'men Basel - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original from parameter pollution to XSS Hi, Mo'men Basel Follow ~3 min read · May 16, 2019 (Updated: December 10, 2021) · Free: Yes from parameter pollution to XSS I'm going to talk about XSS I found on a website. I noticed that on clicking on any link on the main page it will redirect the user to a page to make sure that the user is aware that this will redirect him/her to another website. the URL looks like this: /intersticial.aspx?dest=http://whitelistedWebsite.com once click aceptar you will be redirected I tried editing the whitelistedWebsite.com to javascript:alert(1) but it didn't work as the URL must match the whitelisted sites. then I tried to redirect to /intersticial.aspx?dest=javascript://whitelistedWebsite.com and opened the chome devtools javascript parameter accepted as a scheme I concluded that the parameter accepts any scheme but a whitelisted website must be added to the scheme. example: /intersticial.aspx?dest=data://whitelistedWebsite.com → Accepted /intersticial.aspx?dest=http://google.com → not Accepted I tried to think for a way to write javascript and the URL together and get the javascript run. I tried to add %0a%0d which adds a newline but redirected to a forbidden page. I started thinking of adding the whitelisted website as a variable then add a semicolon which terminates javascript line but the website doesn't accept adding a semicolon to this parameter and redirects me to the homepage instead as the URL must be after the scheme directly not after var url=whitelistedWebsite.com. I tried to enter javascript:/whitelistedWebsite.com/i as a value of parameter "dest" and found out that parameter not only accepts schemes like(http://, ftp://) but also accept http:/ and javascript:/. after that Regex immediately came to my thought for those who don't know about regex it is a sequence of characters that define a search pattern and can be used at almost any programming language. /intersticial.aspx?dest=javascript:/whitelistedWebsite.com/i;alert(document.domain) then website refused the request as it includes a semicolon and I want to put anything to separate this two valid javascript statement to be able to execute JS. then I tried to add another parameter with the same name "dest " so the URL became intersticial.aspx?dest=javascript:/whitelistedWebsite.com/i&dest= Then I noticed that there is a comma added to the URL then added an alert function on the second parameter value and once I clicked acceptar Voilà!, XSS confirmed. the final URL: intersticial.aspx?dest=javascript:/whitelistedWebsite.com/i&dest=alert(1) Conclusion: may HTTP parameter pollution don't lead to serious harm but can help on a bypass that may reach you to P1 or P2 vulnerability. if you find that a parameter accepts redirect to javascript://website.com then you should never lose hope and keep searching! #javascript #xs #security #hacking #paramters Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories