In researching a way to evade a filter which detects and blocks the XSS attempt in the presence of parentheses in a payload, I came to interesting solutions of this problem that will be shared in this post and its subsequent parts.
It’s worth to note that any encoding of the prohibited characters would not evade the filter.
To accomplish that I started to use the javascript document location property, which make possible the following raw payload, still not ready for evasion:
<svg/οnlοad=location=‘javascript:alert(1)’>
(due to WP security issues regarding the “javascript:alert(1)”, to test this we need to copy & paste it here, *re-typing the quotes*)
This is easily flagged by any decent filter. So we have another trick, which hides the signature part (“javascript:” and “alert(1)”) in the hash part of the URL because it’s never sent to server:
<svg/οnlοad=location=location.hash.substr(1)>#javascript:alert(1)
(due to WP security issues regarding the “javascript:alert(1)”, to test this we need to copy & paste it here)
Result => javascript:alert(1)
The “location.hash.substr(1)” returns everything after the hash sign, which responds for the “location.hash.substr(0)”. The “location.hash” returns a string which is splitted by the “substr” method, hence the 0 and 1 parts.
But we are still using parentheses. So let’s work on it. In order to do that we will first bring the flagged strings back, but splitting them to avoid detection:
<svg/οnlοad=location=‘javas’%2B‘cript:’%2B
‘ale’%2B‘rt’%2Blocation.hash.substr(1)>#(1)Result => javas + cript: + ale + rt + (1)
The %2B is the encoded plus (+) sign, because in its literal form it’s changed to a regular space by browser before submitting. So what we are doing here is adding 2 pieces of the “javascript:” string to another 2 pieces of “alert” string plus the content of the URL after the hash using the “location.hash.substr(1)”.
In order to avoid the quotes, we can use the “/string/.source” trick as follows:
<svg/οnlοad=location=/javas/.source%2B/cript:/.source%2B
/ale/.source%2B/rt/.source%2Blocation.hash.substr(1)>#(1)Result => javas + script: + ale + rt + (1)
Nice. But we are still using parentheses.
So we need another trick: changing it a little bit, parentheses are avoided completely:
<svg/οnlοad=location=/javas/.source%2B/cript:/.source%2B/ale/.source
%2B/rt/.source%2Blocation.hash[1]%2B1%2Blocation.hash[2]>#()Result => javas + cript: + ale + rt + ( + 1 + )
As “location.hash” returns a string and because in javascript language every string is an array, we make use of “location.hash[1]” and “location.hash[2]” to point to the positions 1 and 2, respectively, of the “location.hash” array.
Cool, we could stop here, right? Not if you are not allowed to use “[” and “]” as well.
So I had to face another problem. And that made me research a whole new set of payloads which will be explored in the next posts of the “Location Based Payloads”.
#hack2learn