Hacking Book | Free Online Hacking Learning


xss triple url encoding bypasses instance

Posted by chiappelli at 2020-02-27

0x00 Preface

Cross site scripting, abbreviated as XSS, is a malicious attacker who inserts malicious script code into a web page. When the user browses the page, the script code embedded in the web will be executed, so as to achieve the purpose of malicious attacks on the user. In the black box penetration, XSS is common in many websites. Here we share a simple and interesting XSS triple URL code to bypass the vulnerability instance.

0x01 vulnerability instance

In a test, we met a wonderful XSS. Let's add a double quotation mark to see the output:

As shown in the figure, it can be seen that the double quotation mark has been escaped. At this time, is there an idea to give up? In the state of trying, I double code the double quotation mark with URL, and then look at the output:

It's a surprise to find that it's escaped again. Normally, if the accept parameter is directly output by HTML encode, the output here should be% 22, but the output here is & quote;, indicating that the server has decoded the URL after receiving the parameter.

Let's add a layer of URL encoding, that is, triple URL encoding, and then look at the output:

The URL encoding is restored to double quotes, closing the previous double quotes and bringing them into HTML. We can easily construct payload to implement XSS.

0x02 thinking and summary

Through the black box test, we can reverse the code logic of the server. The code of the server may be written in this way. Take PHP as an example:

$a=urldecode($_GET['id']); //接收参数并进行url解码
$b=htmlspecialchars($a);   //HTML ENCODE处理,到这里都是没有问题的
echo urldecode($b);        //最后,url解码输出

In the code logic of this side, the root cause of the problem lies in the URL decoding output of the last sentence, which leads to XSS code bypass. According to the actual situation, the safety suggestion is that HTML encode can output variables directly after processing.

An interesting process of vulnerability mining, the fun of black box penetration, you can't imagine the surprise that the server will return to you with the payload you constructed. So, for penetration testing, we should be careful and patient enough, and dare to question everything and encourage.

People who like this article also like it······

A kind of [code audit] getshell caused by easysns UU v1.6 remote image localization

A kind of [code audit] SQL secondary code injection vulnerability example (with tamper script)

A kind of [code audit] mipcms remote write configuration file getshell

A kind of [code audit] cltphp [v5.5.3 foreground XML external entity injection vulnerability


About Me

A network security enthusiast has a paranoid pursuit of technology. Committed to sharing original high-quality dry goods, including but not limited to: penetration testing, WAF bypass, code audit, security operation and maintenance.