Multi-Stage Payload : Cross Site Scripting Encounter

Hi All,

This blog post is a description of a Cross Site Scripting I found in a Banking Application while testing it. I cannot disclose the name obviously, so you would have to gain trust on me.

Why I am writing a blog post on , "just a XSS", is because i thought this is a bit different from what all we keep finding.

There were quite a number of filters and constraints which kept me indulged in it for some time.

Restriction 1: Tags were not allowed. If you put any input so that it completes a tag, session gets closed. Point to be noticed, Open tag was allowed.

Restriction 2: Whatever stuff you inject with great force, application was reflecting it in Upper case, so dude.. No javascript shit.

Restriction 3: Max Length of 35 characters.

1 Plus Point: Web application was only accessible in IE.

When i started the test, disliked this fact. But by the end, I loved this one. I was trying with VBscript payloads. But the issue of tags and length based was worst.

As there were four input parameters, I thought of breaking my payload into parts and then inject.




 I tried with opening the img src in one input, and then using a single quote trick, took the alert part to next input. So that my payloads being

1st Payload: "><img src='a
2nd Payload: ' onerror=alert(1) size="

So that, whatever comes in between 1st payload and second one, it becomes the value of the src attribute. But, it didn't worked. Reason being, there was already a single quote in between the two reflection points which caused the value to be broken in between only.



In place of single quotes, another idea was a pair of /* and */ . but this didn't worked as well.

3rd option, CDATA, i.e. a pair of <![CDATA[ and ]]>. But this also didn't worked and I later realised this was a stupid one. How can I give a tag inside a tag. Syntactically wrong. 

4th option: To use eval function. so possible payloads: 

1st payload: "><IMG SRC=JAVASCRIPT:ALERT(
2nd Payload: ) ONERROR=ALERT(1) SIZE="

It also didn't worked with an issue. Guess what, javascript is case sensitive. 





But this one popped something cool into my mind. Why not use A href with vbscript, already the application was into IE so all potential victims will be using IE only. 

So i crafted the payloads as :

1st payload: "><A HREF="VBSCRIPT:MSGBOX(1)"
2nd Payload: ">)AAAAA><A"

This time the payload got injected, but didnt gave me any hyperlink on the page except a normal text of "AAAAA". I realized, things were going into two tables, so why not close them using two more parameters. We already have four vulnerable parameters.






 Next set of payloads I tried.

1st Payload: "></TABLE b="
2nd Payload: "></TABLE b="
3rd Payload: "><A HREF="VBSCRIPT:MSGBOX(1)"
4th Payload: ">)AAAAA><A"


I used the left back values of "value" attribute each time into the tag which I was injecting, i.e. in table of A tag.






Result : POP UP.





 You can learn Ehtical Hacking from the Infosec Institute, one of the leading institute in the field of Information Security training:  http://www.infosecinstitute.com/courses/ethical_hacking_training.html

Learn Adobe CQ Pentesting from this resource: http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/