6

I am trying to perform XSS on the injection point marked with XXXX here:

<div>
  <textarea name="billing[something]" id="billing-something" rows="1" 
    type="phone" title="something" placeholder="something" cols="80">
XXXX
  </textarea>      
</div>

I can reflect any input, except < or >. All characters after those will be removed. Can I perform any kind of XSS?

Example:

  • If i introduce XXXX>XXXX I will obtain XXXX
  • XXXX[[>]>/// I will obtain XXXX[[
  • XXXX[[<]</// I will obtain XXXX[[

In other places in this application I was able to exploit inputs using payloads like nsehe"onfocus="alert(1)"autofocus="e2c00 because of <input value=".. fallback.

Mendon Ashwini
  • 103
  • 5
Lucian Nitescu
  • 1,802
  • 1
  • 13
  • 27
  • 1
    have you exhausted this? : https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet – TheHidden Apr 20 '18 at 09:53
  • @TheHidden most of them are by defaults fails (becouse of <> ) but yes and also tried diffrent encodings. – Lucian Nitescu Apr 20 '18 at 10:06
  • 3
    You can't create new tags without angle brackets. If they are always filtered out, then there is no indication this is exploitable. – Arminius Apr 20 '18 at 13:14

1 Answers1

1

There are actually a lot of other ways you can use XSS, for example you can convert characters to either their hex or ASCII equivalents, an example is here:

%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e

which is the equivalent of an alert box that says hi

<script>alert("Hi");</script>

EDIT: This blog can be quite useful for bypassing filters: https://alihassanpenetrationtester.blogspot.ie/2013/01/bypassing-xss-filters-advanced-xss.html

Connor J
  • 1,464
  • 8
  • 11