This blog post is a description of a Cross Site Scripting I found in a Banking Application while testing it. I cannot disclose the name obviously, so you would have to gain trust on me.
Why I am writing a blog post on , "just a XSS", is because i thought this is a bit different from what all we keep finding.
There were quite a number of filters and constraints which kept me indulged in it for some time.
Restriction 1: Tags were not allowed. If you put any input so that it completes a tag, session gets closed. Point to be noticed, Open tag was allowed.
Restriction 3: Max Length of 35 characters.
1 Plus Point: Web application was only accessible in IE.
When i started the test, disliked this fact. But by the end, I loved this one. I was trying with VBscript payloads. But the issue of tags and length based was worst.
As there were four input parameters, I thought of breaking my payload into parts and then inject.
I tried with opening the img src in one input, and then using a single quote trick, took the alert part to next input. So that my payloads being
1st Payload: "><img src='a
2nd Payload: ' onerror=alert(1) size="
So that, whatever comes in between 1st payload and second one, it becomes the value of the src attribute. But, it didn't worked. Reason being, there was already a single quote in between the two reflection points which caused the value to be broken in between only.
In place of single quotes, another idea was a pair of /* and */ . but this didn't worked as well.
3rd option, CDATA, i.e. a pair of <![CDATA[ and ]]>. But this also didn't worked and I later realised this was a stupid one. How can I give a tag inside a tag. Syntactically wrong.
4th option: To use eval function. so possible payloads:
2nd Payload: ) ONERROR=ALERT(1) SIZE="
But this one popped something cool into my mind. Why not use A href with vbscript, already the application was into IE so all potential victims will be using IE only.
So i crafted the payloads as :
1st payload: "><A HREF="VBSCRIPT:MSGBOX(1)"
2nd Payload: ">)AAAAA><A"
This time the payload got injected, but didnt gave me any hyperlink on the page except a normal text of "AAAAA". I realized, things were going into two tables, so why not close them using two more parameters. We already have four vulnerable parameters.
Next set of payloads I tried.
1st Payload: "></TABLE b="
2nd Payload: "></TABLE b="
3rd Payload: "><A HREF="VBSCRIPT:MSGBOX(1)"
4th Payload: ">)AAAAA><A"
I used the left back values of "value" attribute each time into the tag which I was injecting, i.e. in table of A tag.
Result : POP UP.