1

I have found an XSS vulnerability on the subdomain of a site I am testing, and using it I can set cookies for both the main site and all it's subdomains.

My url currently looks like this:

http://s1.example.com/u/%22%3E%3Cmeta%20http-equiv=Set-Cookie%20content=%22sid=1234;%20path=/;%20expires=Thursday,%2020-May-15%2000:15:00%20GMT;%20domain=example.com%22%3E

The issue is that for some reason or another, the character "/" is filtered out (no other characters are), meaning that although I can set cookies to the main site and all it's subdomains, I can only set them to the path /u/ as that is where the attack is launched from on the subdomain. Is there any way to set the path to / without actually using the /?

Thank you very much for any help!

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
WH567
  • 11
  • 1

3 Answers3

1

Your content is going into an HTML attribute, encoded in a URL. That gives you two possible forms of encoding:

  • URL-encoding: %2F. Although this should in principle work, both IIS and Apache block the use of URL-encoded slashes due to some past security issues.

  • HTML-encoding: /, or rather as it is itself in a URL, %26%2347%3B.

(Although... since you appear to have an injection into HTML attribute, is there any reason not to go straight for the more-damaging and better-supported %22%3E%3Cscript%3E...?)

bobince
  • 12,494
  • 1
  • 26
  • 42
0

Try URL encoding the / character with the hex representation %2F.

Nicholas Andre
  • 46
  • 3
0

Remove the whole %20path=/ section - the HTTP response header should set everything at root level.

If that doesn't work inside a meta http-eqiv, try the HTML encoded version of the path as because the content is in HTML should be correctly decoded (/).

Alternatively you could inject JavaScript to set the cookie via client-side script and set the path via entity encoding (\x2f).

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178