2

I am attempting to exploit URL with a reflected XSS as follows:

http://domain.com/vuln_parm=

The contents of vuln_parm gets returned to the user as follows:

<div attrib1="" attrib2="" vulnattrib=""></div>

This works from within Burp:

http://domain.com/vuln_parm="style="background-image:url(someurl)"

as it gets sent back to the user as:

<div attrib1="" attrib2="" vulnattrib=""style="background-image:url(someurl)"></div>

The problem is the server doesn't decode the quotes. With Firefox if I send the string, Firefox automatically encodes the quotes as %22. The server just reflects the %22 back. If I use IE (which doesn't encode quotes), the server reflects the quotes as ". However, IE correctly detects this as XSS and displays the IE has modified this page to help prevent XSS.

Any ideas?

Raul Esteban
  • 39
  • 1
  • 2
  • 2
    I don't understand the question. What are you looking for ideas on? – Jesse K Aug 28 '15 at 20:15
  • The server doesn't decode %22 as a quote in the reflection. It also doesn't decode other URL encoded characters either. The server also doesn't encode a quote sent to it. So I can achieve XSS with IE if it didn't have an XSS filter. I either need 1) a method which evades the IE filter 2) a method to send a quote without encoding using Firefox, Chrome, etc. Does anyone know how to achieve either of these methods? – Raul Esteban Aug 28 '15 at 20:29
  • So what is your question? – Michał Perłakowski Aug 28 '15 at 20:30
  • What is your objective? To craft a malicious URL to share with people using modern web browsers, if so the encoding or XSS security is not easily bypassed. If you want to check the response of the site, why limit yourself to a browser? Either way, this is unanswerable. – David Houde Aug 29 '15 at 03:06

2 Answers2

4

I can't tell you what will work because I don't have the application in order to test it myself. I can only suggest things you should try in your response.

Try:

  • HTML encoding " in the URL.
  • Double URL encoding " in the URL (%25%32%32).
  • Double URL encoding " in the URL (%2522).
  • HTML encode then URL encode.
  • Combinations of the above thereof.
  • Try UTF-7 XSS exploits.
  • Try constructing the URL from a redirect instead of via the browser address bar. Try different types of redirect: HTTP 3XX, JavaScript location (try setting different properties of the location object), meta refresh, redirect via Flash/Silverlight).

Find out how the application responds to the above probes. Maybe it isn't possible at all because in this case you definitely need to find a way of escaping the double quote in order to add your attribute.

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
0

The browser IE uses its own security feature to prevent the XSS. The XSS Filter, a feature new to Internet Explorer 8, detects JavaScript in URL and HTTP POST requests. If JavaScript is detected, the XSS Filter searches evidence of reflection, information that would be returned to the attacking Web site if the attacking request were submitted unchanged. If reflection is detected, the XSS Filter sanitizes the original request so that the additional JavaScript cannot be executed.

The answer to your question is the URL you are trying to perform the XSS attack, it can be exploitable as the server responds with the same payload as requested in the vulnerable parameter.

please go through UTF-7 XSS attacks in modern browsers

Community
  • 1
ammy
  • 1
  • 2