DEV Community

Cover image for Unveiling the Secrets of XSS Bypass: Harnessing JavaScript Symbols for Code Execution
TutorialBoy
TutorialBoy

Posted on

Unveiling the Secrets of XSS Bypass: Harnessing JavaScript Symbols for Code Execution

Preface

I have been looking at Intigriti, yeswehack, HackerOne and Bugcrowd bounty platforms recently. It is really uncomfortable to bypass WAF. I will record the bypass scenario.

Preliminary testing

When I first tried XSS, I found that the user's input is displayed in the title. Generally speaking, it is to see if it can be closed. As the picture below shows, it is converted into an entity after entering angle brackets.

Image description

Bypass Html Entity Encoding

HTML entity encoding, which is the escape character in HTML.

In HTML, some characters are reserved. For example, the less than sign < and the greater than sign > cannot be used in HTML because the browser will mistake them for tags. If we want to display reserved characters correctly, we must use character entities in the HTML source code. A common character entity in HTML is a nonbreaking space. (Note: Entity names are case-sensitive!) Character entities are similar to this: &entity_name; or &#entity_number; If you need to display the less than sign, we must write like this: < or < Common entity encoding.

More entities can be found on the following website:

The Basic Latin alphabet, 128 symbols (◕‿◕) SYMBL

Continuing to try, we found that the title tag would close when we entered the html decimal entity number and escaped it.

Image description

WAF

I originally thought of and directly killed it, but ended up with a waf.

Image description

The next step is to fuzz the event as usual, and the results are all 403. At this time, there is no other way, so the image tag cannot be used.

Image description

Changing other tags, fuzz found that there are quite a few available.

Image description

Then use the tag to bypass

Commonly used payloads can be modified based on the following payloads

<a href="javascript:alert(1)"/>

Enter fullscreen mode Exit fullscreen mode

It was going smoothly at first, but I posted it later and it was filtered. I really vomited. Just look at the picture.

Image description

Image description

Bypassing javascript, it’s here. Some people may think it’s over, but in fact it’s not that simple.

Image description

In fact, I didn’t spend much time in the front, mainly around the alert time. The various methods I tried here include html entity bypass, but basically, none of them worked.

Image description

Image description

Then I was stuck here for a long time. I also thought about using prompt and other functions instead of alert, but it just didn't work. Later I found that brackets and backticks cannot be followed.

Image description

At this time, I was thinking, is there any function that cannot use parentheses to pop up windows? I'm totally confused. I searched a lot and couldn't find any of them. They all require brackets. I can't get past the ones that don't require brackets and backticks after the alert.

Image description

Finally saw this on some Twitter user on random waf bypass tips finally completing the bypass

Image description

The Link:- https://aem1k.com/aurebesh.js/#%60alert%281%29%60
Local test payload

<a/href="javascript;{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a +e+s](e+s+v+h+n)(/infected/.source)" />click

Enter fullscreen mode Exit fullscreen mode
<a href=ja
vascript:k='',a=!k+k,f=!a+k,g=k+{},kk=a[k++],ka=a[kf=k],kg =++kf+k,ak=g[kf+kg],a[ak+=g[k]+(a.f+g)[k]+f[kg]+kk+ka+a[kf]+ ak+kk+g[k]+ka][ak](f[k]+f[kf]+a[kg]+ka+kk+"(k)")()> 1111";//</title >
Enter fullscreen mode Exit fullscreen mode

Image description


Source :- https://tutorialboy24.blogspot.com/2023/11/unveiling-secrets-of-xss-bypass.html

Top comments (0)