By Julian Berton (LinkedIn)
Recently, I presented a lightning talk at Ruxcon 2014, on a cross-site scripting issue we discovered on a client engagement, and two interesting ways in which we could bypass the WAF present (as well as Firefox’s cross-site scripting filter).
The cross-site scripting issue we found was fairly standard at first, with an initial URI like the following:
This generates a page like the screenshot below, with the reference number pulled from a vulnerable parameter in a URI, with the “jquery.query.get()” function.
After some further investigation, we found the code behind this vulnerability as follows:
Note the stages of this vulnerability – “jquery.query.get()” is used to retrieve the user’s reference number from the URI, the actual reference number is extracted through a string split, and then this is passed to the append() function, writing it to a page without filtering.
(the base64 part decodes to the following):
Again, the base64 component inside the SVG decodes as follows:
As it turns out, we didn’t have to do any of this. The “jquery.query.get()” function, used to fetch the request acknowledgement number, executes on a user’s browser, and can accept input from URL fragment identifiers.
These fragment identifiers aren’t subject to the interference of a WAF (since they never go to the server) – thus, we can modify our proof-of-concept URI as follows, to make it work locally against a user’s browser:
Note that the question mark in the original URI is now a hash – it’s that simple.
I’ll put up a more detailed blog post ~soon~, with a little more background to this vulnerability, as well as how we managed to identify this issue, so watch this space.
For now, you can download my Ruxcon slides here.