Hallo Jagers! We are back with new way to defeat XSS Filters again. We have already seen popping an alert without HTML, using Angular JS payloads. Let’s see scenario based bypass which turns out to be new approach in xss filter bypassing methodology.
It’s simply similar to Homography where we use Surеsh instead of Suresh to spoof the visible text to lure the victims. Instead spoofing here we simply make use of text written in a special manner to represent it’s behavior.
For example let’s understand why we use below characters in important documents.
- U+2022 • bullet (HTML • · •) used to represent import list or simply to point out the possible cases in any document.
- U+2020 † dagger (HTML † · †) This generally we see in mathematics or physics to denote the Hermitian adjoint of an operator; for example, A† denotes the adjoint of A
- The currency sign (¤) is a character used to denote an unspecified currency.
- A very simple Tab key also used to maintain the document in a specified manner.
- We use page breaks to maintain document alignments.
I hope you got an idea about why and where we use these special unicode/ascii symbols.
I’m not saying about every filter bypass here. But there is a situation where you came across a context of reflection where developer is blocking space and slash addition in the payload.
In the above context we generally throw payload like <script>confirm(1)</script>
Now what if developer blocked ScrIpt ScrsCriptipt script SCRIPT combo can we pop an alert..?? absolutely yes. We can simply use other html tags such as image source or iframe src etc.
What if again developer (he’s so lazy man) blocked spaces and slashes is there any other way to pop the alert again. Why not, we can use hardware characters(bad characters) such as %00, %09, %90, %0a, %0d, %0c, %etc you can think of other payloads.
Finally he made a patch (thinks he fixed it) like blocklisting of % character. Now tell me how we can bypass it ??
Yes We Can Bypass it
I hope now you understand the scenario where we are. In this case we can make use of Typography to bypass this restriction.
Bypass with Page/Section Break
To do that open a word document. Click on Page Layout > Breaks > Section Break
Now to see that enable Show/Hide marks button
After enabling you can see below symbol. Simply copy it and paste it in Notepad ++ (where we can see it again)
In Notepad++ you can see an orange dot after svg which can provide space for us.
After loading this payload in our favorite browsers we can see the alert popped.
Also after browser processing this HTML we can see a space which is created by page/section break. (Chrome)
In Firefox and Edge browsers it’s interpreted as different unprintable character still we can see the pop up.
Bypass with Tab
In the same way we can simply copy the tab symbol to notepad and we can make use of it to bypass the filtering mechanism. It’s also works like nested spacing as tabulator contains multiple spacing.
While browser interpretation we can see more space after svg tag.
Learn : Hack : Have Fun 🙂