Cross Site Scripting - Level 02 __ Frozen Flame
May 31, 2021
alert("NO XSS in this area");
In my 1st two blogs about XSS , I have said how to do some basic Cross Site Scripting attack. But, in some cases, you can't perform any kind of XSS. Sounds interesting huh? So, let's try to know them and also to know, how to bypass these things.
I was trying to perform a cookie stealing attack through XSS. And found an interesting parameter and, that param seemed to be vulnerable to an XSS attack. But, I was not able to steal the cookie as I couldn't perform any successful XSS attack. It took a long time to understand why I wasn't able to perform the attack. Let's share it. Why can't you perform XSS in some cases.
But, like before, I am not going to share any details of that site. So, let's exploit.
Exploitation ::
The website's domain was looking like this, everythingvuln1.com . And the param was looking like this,
everythingvuln1.com/?param=xss
And, the word " xss " was reflecting in the webpage. So, there may be an XSS vulnerability.
Checking filter & WAF ::
I checked the client side view source. And, found the word. So, I checked for the filter and WAF like this,
everythingvuln1.com/?param=testingxss't"t\t/t<t>t=
I found everything alright. That means, no filter & no WAF. Ok. We are good to go.
Attack ::
As I have said in my 2nd blog that , we need to close the tag like this,
"><script>alert (1)</script>
But, in some cases, we can't use our script to perform an XSS attack. There are some, specific tags where we can't do this.
Tags ::
- <title>
- <script>
- <textarea>
- <noscript>
- <pre>
- <xmp>
- <iframe> and there can be more..😅
As you can see, in general, these tags can stop you from, performing Cross Site Scripting attack. Let me give you an example code which is made by these tags.
<html><head><title><svg onload="alert(1)"></title><body><noscript><script type="text/javascript">alert(1);</script></noscript><xmp><svg onload="alert(1)"></xmp><iframe><svg onload="alert(1)"></iframe><textarea><svg onload="alert(1)"></textarea><script type="text/javascript"><svg onload="alert(1)"><script>alert(1)</script></script></body></html>
Copy and, paste it, I assure you, that it won't pop-up. Don't panic. Let me explain you about every tags.
- Actually, XSS occurs when it works in the webpage. Not in the title. So, if your payload is in the <title> tag, then 1st close it and, then, execute your payload. Like this, </title><script>alert(1)</script> . So, it will close the title tag first. And, then it will come in the webpage. And, a successful attack.
- Now comes, <noscript> tag. In this tag, no javacript runs. So, if your payload in this section, 1st make it out. Then, run the script.
- <xmp> tag prints everything in the webpage. So, if you write your tag between this tag, there is no chance of executing your payload. So, same thing here. Close it first. The <textarea> also works the pretty similar.
- Same thing for <iframe> . Close it first.
- Now, I came to the last one, <script>. Actually, it some topics to discuss. Which I will write in my next blogs. But , for now, understand that, if there is a script tag already you don't need to add another one. We will manipulate the existing tag. And, in this tag, only JavaScript runs. So, if you give, <svg onload="alert(1)"> it won't run at all.
So, in these cases, close the tag and then, execute your payloads. Goodbye for today. May be in another tutorial of cyber security. Till then,
Happy Hacking. 💓