layout: post
title: 6. xss_fuzz+wafbypass
category: SRC
tags: SRC
keywords: SRC,XSS
Preface
This record is the sixth short article that records the actual src process, and the content is the xssbypass of a certain website.
feature
The input point is callback, found by roaming the whole network, waf is very strong. Many labels can not be used <script> frame body, styleas long as there has been directly trigger waf. Img tag has a label and can pass here try to use a label bypass, discovery javascript:, this form was waf, I want to bypass the coding found The pair &#was waf, ok changed to a unicode encoding, and it was found that the pair ;was waf. wow, ok, stuck.
Event triggered fuzz
Then consider using event triggering, which is on*such an attribute, but basically all the hand-tested have been waf. No, it’s about how many there are in the collection on*. On the side of violent fuzzing, I don’t believe that the development has taken all the circumstances into consideration. I collected more than one hundred. It seems not enough. Camaro said there are more than 150, it doesn’t matter , Let's talk about fuzz, think about it if it is not enough.
Ok, there seems to be a fish that slipped through the net. I won't talk about the others, just talk about how to live in the end, the onwheelincident used.
The onwheel event is triggered when the element is scrolled up and down. In other words, use img directly and put a large image on it.
The final payload:
<img src=x width=1000 height=1000 onwheel=alert.call(null,1)>
there is a small tip here. In alert()the case that this form is filtered, you can use the above form to bypass.
Afterword
Camaro boss blows!