Multi-Stage Payload : Cross Site Scripting Encount'"er

Hi All,

This blog post is a description of a Cross Site Scripting I found in a Banking Application while testing it. I cannot disclose the name obviously, so you would have to gain trust on me.

Why I am writing a blog post on , "just a XSS", is because i thought this is a bit different from what all we keep finding.

There were quite a number of filters and constraints which kept me indulged in it for some time.

Restriction 1: Tags were not allowed. If you put any input so that it completes a tag, session gets closed. Point to be noticed, Open tag was allowed.

Restriction 2: Whatever stuff you inject with great force, application was reflecting it in Upper case, so dude.. No javascript shit.

Restriction 3: Max Length of 35 characters.

1 Plus Point: Web application was only accessible in IE.

When i started the test, disliked this fact. But by the end, I loved this one. I was trying with VBscript payloads. But the issue of tags and length based was worst.

As there were four input parameters, I thought of breaking my payload into parts and then inject.




 I tried with opening the img src in one input, and then using a single quote trick, took the alert part to next input. So that my payloads being

1st Payload: "><img src='a
2nd Payload: ' onerror=alert(1) size="

So that, whatever comes in between 1st payload and second one, it becomes the value of the src attribute. But, it didn't worked. Reason being, there was already a single quote in between the two reflection points which caused the value to be broken in between only.



In place of single quotes, another idea was a pair of /* and */ . but this didn't worked as well.

3rd option, CDATA, i.e. a pair of <![CDATA[ and ]]>. But this also didn't worked and I later realised this was a stupid one. How can I give a tag inside a tag. Syntactically wrong. 

4th option: To use eval function. so possible payloads: 

1st payload: "><IMG SRC=JAVASCRIPT:ALERT(
2nd Payload: ) ONERROR=ALERT(1) SIZE="

It also didn't worked with an issue. Guess what, javascript is case sensitive. 





But this one popped something cool into my mind. Why not use A href with vbscript, already the application was into IE so all potential victims will be using IE only. 

So i crafted the payloads as :

1st payload: "><A HREF="VBSCRIPT:MSGBOX(1)"
2nd Payload: ">)AAAAA><A"

This time the payload got injected, but didnt gave me any hyperlink on the page except a normal text of "AAAAA". I realized, things were going into two tables, so why not close them using two more parameters. We already have four vulnerable parameters.






 Next set of payloads I tried.

1st Payload: "></TABLE b="
2nd Payload: "></TABLE b="
3rd Payload: "><A HREF="VBSCRIPT:MSGBOX(1)"
4th Payload: ">)AAAAA><A"


I used the left back values of "value" attribute each time into the tag which I was injecting, i.e. in table of A tag.






Result : POP UP.





 You can learn Ehtical Hacking from the Infosec Institute, one of the leading institute in the field of Information Security training:  http://www.infosecinstitute.com/courses/ethical_hacking_training.html

Learn Adobe CQ Pentesting from this resource: http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/

4 comments:

  1. thank you !!

    http://www.youtube.com/watch?v=GfLvr3rZQaI

    ReplyDelete
  2. If you would like further information on an appropriate IT security course for your business, please do not hesitate to contact simplEtraining today. A representative will be more than happy to answer your questions and assist you with your enquiry. Take action today before it is too late.
    cyber security training

    ReplyDelete
  3. never treated VB Like You Did Sir _/^\_
    Itz Something Different Than onerror=x etc on web apps & at last Well Explained as usual

    ReplyDelete