DOM XSS Behind a WAF

Here’s the scenario, which seems obvious at first but took some time for me to figure out. It may be because I don’t find that many DOM XSS… they’re kinda tough to find. Anyway, say you receive the following response.

HTTP/1.1 200 OK
Content-Type: text/html

<html>
<script>
function funcURL() {
   var mDiv = document.getElementById('mid');
   mDiv.innerHTML = document.URL;
}
window.onload = funcURL
</script>
<body>
<div id="mid"></div>
</body></html>

An exploit doesn’t get much more straightforward than that. But here’s the catch: the URL is behind a pretty stringent WAF, where input such as <, >, and ‘ is completely rejected. Is this still exploitable? Think about this for a second (the hint is that it definitely is exploitable).

Ok. Done? Have a working exploit?

My first thought was to abuse the fact that Content-type is not set to UTF-8. I had no luck with this.

Then I had a duh moment. # are part of document.URL, but NOT sent to the server, so the waf never sees this. So that’s the exploit. But still, innerhtml defers execution, so that needs to be addressed as well – not quite as simple as <script>alert(1)</script> although close. The final URL works:

https://madeupbadURL.html?aaab#<img/src=’b’/onerror=alert(1)&gt;