2

I did a penetration test and I found several xss vulnerabilities that was triggered in burpsuite or curl (Also in web application scanners) but when I tried to execute it in the browser, it was encoded to utf-8 and the payload wont execute in browser. Now I know that the encode process is a default by the RFC in all modern browsers. If I run the payload in burpsuite\curl\etc. It will not encode any of the special chars so its only the browser that does it but the strange behavior that the application is treat differently to the encoded payload. Even if I encode the full payload to utf-8 it wont trigger because of the code (in Response)

Live Example From Burpsuite: This payload "><script>alert(111)</script> will get a success trigger (alert popup from xss)

XSS Popup

Live Example From Browser: This payload "><script>alert(111)</script> will get an encoded payload that will not trigger xss.

Payload in browser

Questions:

  1. Why the web server treat to utf8 as a different type ?
  2. Can I exploit in real scenarios those vulnerabilities (theoretical situation against victims from the attacker aspect)
  3. Do you know how to bypass it ?
  4. Is there any way to send the request without the browser encoding it ?
Bergi
  • 630,263
  • 148
  • 957
  • 1,375
lopa17685
  • 35
  • 5
  • To answer 2 & 3 & 4, you can easily bypass this by using `fetch`/`XMLHttpRequest` in JS or using other tools (such as cURL since you mentioned it) thus this is a real threat since most attackers who will try this use automated tools rather than doing everything by hand – Elias Schablowski Jul 27 '20 at 23:22
  • 2
    It is not utf8, but percent encoding. The server has nothing to do with this. You can simply pass a decoder function before you alert it. It's only a problem if the page tries to execute that queryParam. – Kaiido Jul 27 '20 at 23:48
  • The problem is like the "Chicken or the egg" because I cant using fetch/XMLHttpRequest or use any other JS function if im doing it using the browser (it wont execute), regarding curl\burp I cant find any scenario that I can use it in the wild and exploit it (from the attacker aspect) because it will be like self exploit (Try to suggest if you have an idea). Regarding to my questions, Do you have any other solutions that can make it work ? – lopa17685 Jul 28 '20 at 07:40

0 Answers0