XSS Payload Filter Bypass by xploiterr

Hello guys, In this blog, you will see few tips with real world web application example of XSS payload filter bypass by @xploiterr. You can follow him on twitter for more tips and tricks about XSS.


For Beginners - What is XSS?

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into the trusted websites. It occurs when Web Applications accepts input from users without properly sanitizing it. Better explanation is given here on PortSwigger with different labs for practice.


Basic Payloads:-

<script>alert(1);</script>
"><img src=x onerror=alert(1);>
"><svg/onload=alert(1);>

If the above payloads are removed/filtered from application, then read the below writeup:-


WriteUp by xploiterr

This writeup is regarding a filter bypass for stored XSS. So this website have a feature where we can create workflows for automation. In workflow we can use property and it's value for entering inputs, but property was sanitizing the inputs like if we enter simple XSS payload

"><img src=x onerror=alert(1);>

It will remove this payload and only double quotes will be left which was reflected inside the attribute as its value in <span> tag. So this shows that we are able to break out attribute context of this tag using double quotes ("). So now you will think of this payload:-

"onmouseover=alert(1) x="

But unfortunately web application was removing these special characters (),``. So now we have to find a way to execute XSS without these chars in our payload:-

<>()``

So I tried many payloads from google without these chars, but no luck. So I decided to report this with a payload which will change DOM of the page:-

"onmouseover=document.documentElement.textContent=document.documentElement.outerHTML c="

Next day, I tried again and was finally able to bypass this with this payload:-

 "onmouseover=javascript:window.onerror=alert;throw[1] c="

In the above payload, I haven't used those special characters and I was able to bypass this. I have spent some 2 hours for this. But it was worth it.


"Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time". - Thomas Edison

Thank you!!!

684 views0 comments