Welcome back XSSers! Today we are going to learn xss, bypass a WAF and we will do it with the shortest payload possible.
So I have a webpage here
and I am going to enter our classic payload i.e.
Oppps! Access Denied! Looks like some WAF is blocking our way. So I am going to encode our payload with URL encoding. Well you can find some websites on google which can do this but I like to use HackBar plugin for Mozilla Firefox.
So I entered my payload and clicked on the Encode button
and here we have this beautiful URL encoded payload
So lets see if it works or not
Hell yeah! We successfully XSSed it!
Hmmm that was really easy but what if the search form doesn’t allow us to enter more than 35 characters? or 25?
Lets try to shorten this 75 characters long payload.
First of all, we don’t really need to encode everything. Like why would a WAF block alphabets? So lets try to find what characters are blocked by the WAF by trying different variations of the payload.
%3cscript>alert(1)%3c%2fscript> Access Denied
<script%3ealert(1)%3c/fscript%3e Access Denied
And actually we can also use alert() instead of alert(1). alert() will give us a blank alert pop up and will save us 1 character.
So here’s our final payload with 31 characters:
<svg onload=alert()> Access Denied
Tried different variations of the payload find out what should be encoded and here’s what I got:
%3csvg onload%3dalert()> Success
Thus we shortened our payload to 24 characters! Can we make it even shorter? Yes we can and actually I did. Take a look at this beautifully crafted payload
Without encoding it looks like this
If you enter this payload, nothing will happen
But as soon as you try to cut some text from the webpage..
You will see the miracle of XSS!
Thanks for reading the article! Actually its based on a XSS Challenge held in Ultimate Hackers’s facebook group, where competed against each other to XSS with the shortest payload.
Well that’s all for now! I hope you learned something new today!