Bypassing HTML5/Javascript XSS Restrictions

OVERVIEW:

A quick PoC/tutorial on bypassing client-side HTML5/Javascript XSS filters in Infosec Institutes Level 1 CTF challenge. Full details on the challenge can be found here: http://ctf.infosecinstitute.com/ctf2/. All credits go to [email protected]

STEP 1: Inspect the Site Name element

Since the application performs character encoding for the “<” and “>” characters, we will need to check the code to see if the sanitization is occurring at the server level, or client side. If it’s client-side (ie. HTML5/Javascript), this can be altered and bypassed by the user. To do this, use any web browser and right-click on the “Site Name” form element and click the “Inspect Element” option. This will open developer tools which will allow us to edit the properties.

STEP 2: Remove client side restrictions

Replace the existing input field to increase the maxsize field and remove the characters allowed property as follows:

<input type="text" placeholder="Name of site" maxsize="100" class="form-control" required="" name="name">

STEP 3: Edit the ex1.js file to remove character encoding

Since the web application also appears to be sanitizing the “<” and “>” characters via ex1.js (Javascript), we will need to edit the client side javascript first to bypass this. This can be done in web developer tools by clicking the Sources” tab and editing the ex1.js to remove the HTML character encoding:

var siteName = $(".ex1 input[type='text']").val().trim().replace(/</g, "<").replace(/>/g, ">");
var siteURL = $(".ex1 input[type='url']").val().trim().replace(/</g, "<").replace(/>/g, ">");

STEP 4: Enter the XSS payload

After the client side validation and sanitizing is removed, enter the following payload into the “Site Name” field and click “Submit”.

<script>alert('Ex1')</script>

RESULT:

The result is that our Javascript alert window was successfully injected into the page after all client-side code was altered and bypassed. To prevent these types of attacks, validation should be done from a server side component that the user cannot control or edit.

Leave a Reply