Imperva Incapsula-[intro]-:
During tests, I noticed that Imperva Incapsula XSS filter protects against common XSS payloads. For
instance, the following payload is blacklisted. When an attacker inputs a common payload, such as
<script>alert(1)</script>, the request will be blocked.
<img/src="x"/onerror="alert(1)"> is also blocked. Meanwhile, <img src=x
onerror="input"> is not detected. The only obstacle to bypass the filter is to find action upon the
error. alert(), prompt(), confirm(), and eval() were all blocked, so an attacker would have to look for
other alternatives to create a proof of concept to show the existence of cross-site scripting
vulnerabilities.
0.1- First Bypass:
Double URL Encoding + HTML Encoding + Unicode Encoding (All Modern Browsers)
The fist bypass has been identified using a mixture payload of HTML and Double-URL encoding. The
action payload was encoded by HTML and Double-URL Encoding. Double-URL encoding works on
specific servers that URL-decode the client’s input multiple times.
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%25
23x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%25
26%2523x29%3B%22%3E
0.2 Second Bypass:
JS-F**K Payload (All Modern Browsers)
The second bypass is based on JS-F**K, a technique that has been introduced to create JS with only 7
characters. The payload uses the same structure as the first one but with slight changes.
<img/src="x"/onerror="[JS-F**K Payload]"> The 1,230~ characters to execute the alert() function.
The payload is unlimited to actions, but the only obstacle is its length. Most servers restrict the GET
request URL length. Therefore, the payload would work better if it worked on POST requests. Other
than that, the payload seems to be a perfect solution for evading Imperva’s Incapsula WAF.
This was The First Part of Our Series ! You may Continue to Learn More About Xss Filters.
Thank You !
Comments
Post a Comment