Day 31/100 Hack and Improvement

1 minute read

Day 31 comes with a writeup for SSRF and a case for bypassing a WAF for XSS.

SSRF in Facebook worth $31,500

Rajesh Ranjan. Checkout the writeup here.

Case of WAF bypass in order to perform XSS

From Sam (CoffeeJunkie). Starting in this field after passing through some experience with Hack The Box, XSS didn’t seem that complicated till I had to confront myself with a private program in HackerOne which WAF was CloudFlare. It was frustrating to go from the simulation pentesting world, to the real web app testing world, but furtunatelly, there are plenty of resources out there to learn and pass through frustration.

In this case, I was reading a pretty good writeup related about XSS which was found in an admin login panel. So, the attacker started poking around to see how the website reacts to the input fields. In this case, when the attacker give the wront input, this was the URL with the message in the screen.

/admin/index.php?msg=Invalid%20Email%20and%20Password

Some people might try to do URL content injection in this case, but in some programs it does not count as a valid vulnerability. Therefore, the attacker proceeds to look for other kind of attacks such as XSS. As the input is being reflected in the website, the attacker proceeds to enter different kind of XSS payloads such as:

?msg=<script>alert(1)</script>
?msg=<img src=xss onerror=alert(1)>
?msg=<input/onmouseover=”javaSCRIPT&colon;confirm&lpar;1&rpar;”
?msg=<iframe %00 src=”&Tab;javascript:prompt(1)&Tab;”%00>

But in this case the website WAF was blocking him.

nmap scan

Something to learn here that in order to perform the bypass, the attacker saw what kind of input was being filtered by the website, so the attacker will know what payloads to set the next time. So, the winner was

<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>

Full write up from Kleitonx00 is here.

Leave a comment