Another day, another challenge. What’s the topic for today? We’re still in Cross-Site Scripting (XSS) land…
Scenario below –
A hacker informed us that this site suffers from an XSS-like type of vulnerability. Unfortunately, he lost the notes he had written regarding how exactly did he exploit the aforementioned vulnerability.
Your objective is to make an alert box appear, bearing the message “XSS!“. It should be noted, however, that this site has some protection against such attacks.
SOLUTION
Enter the site we have the following page
Trying to use the same tactic from the third challenge (alert(“XSS!”);) we get the following
We see this doesn’t work. Hmm – seems the developer has added some validation to the page.
Let’s see if we can do output encoding with XSS. Our goal is still trying to display the alert box of XSS!
Using TamperData from FireFox we see that our words are being encoded.
Going to Google and look for “XSS Filter Evasion Cheat Sheet” we come to the following page HERE
Scrolling down we see the following:
Let’s try to use the fromCharCode and see if that works.
Changing the XSS to the ASCII equivalent – we get the following:
alert(String.fromCharCode(88,83,83,33))
Putting this into the text box we get inside ‘Tamper Data”:
Pressing “XSS Me!” we get the following:
We’re not going to tamper this data, and press OK.
The screen now returns:
Lessons learned:
The application encoded certain characters “>”, “<“, “(“, “)” to try to mitigate against cross-site scripting attacks. Even with doing this we still found a way to evade the encoding by using the JavaScript function – fromCharCode from the String class. When in doubt, use Google!