In low security it will easily bypass the injected script when an attacker injects it in the text field given for “name”which should be not left empty according developer.
2. Stored Cross Site Scripting
Set security low
Now have a look over a small script which would generate an alert window. So in the text area given for message I will inject the script which get store in the server.
<script>alert(“helllooo”)</script>
Now when user will visit this page to read our message his browser will execute our script which generates an alert prompt as showing following screenshot.
XSS FIREWALL BYPASSING
Firewalls, IDS and IPS are the most common security mechanisms that are often used to protect infrastructure from malicious attackers. Out of these, firewalls are the most commonly used, they are placed at the network layer and analyzes malicious packets as well as application layer, where their purpose is to monitor all HTTP and HTTPS traffic between clients and servers and based upon the pre-configured registered signatures in a data base.
1. Fingerprinting F5 BIG IP ASM
F5 is one of the world renowned Web application firewall’s with deep inspection capabilities, similar to citrixnetscaler F5 BiG IP ASM also adds certain cookies as a part of their HTTP communication. The following demonstrates a non-malicious GET request that was submitted to an application running behind an F5 BIG IP ASM firewall.
2. Fingerprinting Mod_Security
Mod_security is an open source WAF specifically designed for Apache server, due to it being open-source it has been bypassed many times and hence the detection rules have been significantly improved. A malicious request sent to an application running behind mod_security returns a “406 Not acceptable” error along with it inside the response body it also reveals that the error was generated by mod_security.
3.Fingerprinting WebKnight
Webknight is another very popular Web application firewall, it was specifically designed for IIS servers. The WAF works upon a blacklist and looks for common patterns for attacks such as SQL injection, Directory Traversal, XSS etc. Unlike, other WAF’s webknight is very easy to fingerprint a malicious request returns a “999 No Hacking” response.
4.Fingerprinting dotDefender
dotDefender is another well-known WAF that was specifically designed for protecting .net applications against well known attacks. Similar to Mod_security and WebknightdotDefender also reveals itself inside the response body when a malicious request is sent to a webapplication running dotDefender.
5. Fingerprinting With Wafw00f
Wafw00f is a small tool written in python and is specifically used tool for fingerprinting Web application firewalls, it conducts five different tests to detect the WAF, such as keeping track of the cookies inside the http request, by analyzing http response received from sending malicious requests, by using drop packets such as FIN and RST and looking at the response received, by server cloaking i.e. modifying URL and altering methods and by testing for pre-built negative signatures which vary from a WAF to a WAF.
XSS General Filter Evasion Cheat Sheet
All of us might have encountered one such end point that takes URL as parameter and redirects to it using javascript like :
location.href='URL'
window.location.href='URL'
window.location.replace('URL')
window.location='URL'
VARIOUS FORMATS:-
1. \x[HEX]
2.\u00[HEX] Format 1 : javascript: -- > \x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a Format 2 : javascript: -- > \u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u007 0\u0074\u003a
BYPASSING THIS FORMAT:
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\ u0074\u003aalert(1)
These are few alternatives to newline character which you can try if newline character is also blocked :
[0x09] <---- Horizontal Tab
[0x0d] <---- Carriage Return
\t <---- Horizontal Tab
\n <---- Newline
\r <---- Carriage Return
Now let's assume
'javascript:' and
'\x' and
'\u' and
[0x0a,0x09,0x0d]
and [\n,\t,\r] are blocked??
What happens if we try to escape any character that does not form a control char (\n,\t,\b,\v,\f,\r and of course \x,\u too) ?? The answer is NOTHING. So we can put escape char in front of any character except n,t,b,v,f,r,x,u and digits.
Bypass : \j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
Conclusion
Cross-site scripting is one of the most dangerous and most common website vulnerability on the internet. An XSS attack comes in many forms that range from something as small as pop up in a window, to something as destructive as a virus or a worm, and even worse; XSS is capable of compromising a person’s identity. Nobody in this world is ever completely safe from it. As XSS vulnerabilities continue to grow, the best way to protect yourself against it is to always be on the alert, and be aware of what you should do when you come across it.
Cross Site Scripting attack vulnerability, XSS vulnerability, Firewall bypass in xss, xss encoding bypass , URL encoding bypass xss vulnerability, xss in bug bounty sites, xss in sites, xss vulnerable sites, bug bounty in xss vulnerability.