[ CVE-2023–26046 & CVE-2023–26047 ] XSS Bypass WAF at teler-waf

Hi Everyone,

teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks and improve the security of Go-based web applications.

teler-waf is a comprehensive security solution for Go-based web applications. It acts as an HTTP middleware, providing an easy-to-use interface for integrating IDS functionality with teler IDS into existing Go applications. By using teler-waf, you can help protect against a variety of web-based attacks, such as cross-site scripting (XSS) and SQL injection.

source : https://github.com/kitabisa/teler-waf

When I see an article from PortSwigger that talks about teler-waf :

Meet teler-waf: Security-focused HTTP middleware for the Go framework

I’m curious about teler-waf and try to see it.

I started by trying XSS on teler-waf. And here is the result, when I try the XSS payload scheme in teler-waf :

1. “onclick=

First GIF

As can be seen from the GIF above, when the client inputs the payload “onclick= , the WAF will detect and block it.

2. “test ontest=

Second GIFs

As seen from the above GIF, the use of “test ontest= payload was worked and not detected by the WAF. But when adding double quotes ( “ ) in the window object it is detected by the WAF and blocks it.

3. “test ontest=’test

Third GIF

As seen from the GIF above, using “test ontest=’test payload worked, and the WAF didn’t detect it. The use of a Single Quote ( ‘ ) in the Window Object worked and is not detected by the WAF. Now I’ve got the schema to run XSS here.

Now I’m going to trigger XSS on teler-waf at 2 CVE ( CVE-2023–26046 & CVE-2023–26047 ).

1. CVE-2023–26046

From the explanation of the Third GIF above, now I have a payload scheme solution that passes. The following experiments were made to trigger XSS in this CVE :

a. First try

“autofocus onclick=’alert()

On the First Try, alert() was detected by the WAF and blocked. Now I have to bypass it the next try.

b. Second Try

“autofocus onclick=’alert()’

In this Second Try I combined alert() with HTML Entities which made it successful and not detected by WAF.

At CVE-2023–26046 the teler-waf Security Team recommends updating installations to version v0.1.1.

Reference :

CVE - CVE-2023-26046

Bypass Common Web Attack Threat Rule with HTML Entities Payload

Release v0.1.1 · kitabisa/teler-waf

Comparing v0.1.0...v0.1.1 · kitabisa/teler-waf

2. CVE-2023–26047

A few minutes later after reporting the findings of CVE-2023–26046, Dwi Siswanto as the teler-waf Security Team informed me that the findings of CVE-2023–26046 has been Fixed.

I went to look back and try to get bypass it. The following experiments were made to trigger XSS in this CVE :

a. First Try

“autofocus onclick=’alert()’

Sure enough, the patch worked. WAF detects use of HTML Entity in Window Object and blocks it. Now let’s get to work and let’s do a bypass test.

b. Second Try

“autofocus onFocUs=’find(l\u{6F}cati\u{6F}n=`j	avascr
ipt:al	ert()`)’

In this second try, I use a schema to redirect to the javascript protocol to trigger an alert. And I combined Unicode and HTML Entities here namely:

[+] l\u{6F}cati\u{6F}n

Here I use UNICODE to escape location from WAF detection.

[+] j	avascr
ipt:al	ert()

Here I use HTML Entities to escape JavaScript Protocol from WAF detection.

I managed to bypass it again and got CVE-2023–26047

At CVE-2023–26047 the teler-waf Security Team recommends updating installations to version v0.2.0.

Reference :

CVE - CVE-2023-26047

Release v0.2.0 · kitabisa/teler-waf

Comparing v0.1.2...v0.2.0 · kitabisa/teler-waf

feat: Added case-insensitivity detects the IE octal/hex/unicode entities ·…