The enchanted lands of late night research
So its 0045 EAT and im up reading the OWASP Testing Guide V4. I have always used OWASP as my appsec bible, but i have never gone through this whole book. And boy how much wonder it packs.
Anywayyyyyyyy, looking back, i discovered a duplicate vulnerability on an XYZ platform (on hackerone). I was obviously not rewarded, but learnt something in the process. This was a full on XSS. Burp interceptor is able to bypass this client side validation checks, but i needed more. I needed to execute this XSS outside Burp’s context.
Looping in my favorite fuzzing payloads, i tried out a different combo of a million payloads to no avail.Okay, they kinda were 55. An hour later, nothing. However, doing my research, i landed upon this beauty, “XSS polyglot”
Polyglot background
A quick search of the word polyglot defines it as “knowing or using several languages“. “polyglot payloads“, however are, in my simple words, a long payload string that can execute in multiple contexts. This strings contain different types of encodings hence different execution contexts. XSS polyglots are exactly this. Payloads that execute an XSS action as defined in the payload.
Daniel Miessler does a great job with his fuzzing payloads where he has his ultimate XSS polyglot payload.
However, this did not work for me. So much for ultimate. This made me realize that there is not ultimate polyglot, just different ones that might land on the application’s bad side, luckily for us.
A little more research and i realized that JavaScript is a beautiful language with the ability to use an inbuilt function to read decimal values an convert it to ASCII characters ready execution.
To be specific, i abused the ‘String.fromCharCode()’ method.
Full polyglot?
alert(String.fromCharCode(88,83,83))//–%0D%0A%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&redirect=%27%3Balert(String.fromCharCode(88,83,83))//%27%3Balert(String.fromCharCode(88,83,83))//%22%3B%0D%0Aalert(String.fromCharCode(88,83,83))//%22%3Balert(String.fromCharCode(88,83,83))//–%0D%0A%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&token=%27%3Balert(String.fromCharCode(88,83,83))//%27%3Balert(String.fromCharCode(88,83,83))//%22%3B%0D%0Aalert(String.fromCharCode(88,83,83))//%22;
Polyglot breakdown? Sure.
This method takes in the decimal values and converts to string (ASCII). This means ‘alert(String.fromCharCode(88,83,83))‘ gets interpreted as ‘alert(‘XSS’)‘.
Confirmation
I formulated and pasted the polyglot on the naked browser address bar. POPPED XSS. Same was done using ad-dons like:
- LiveHttpHeaders
- Hackbar Quantum